Draft Risk Management Guidelines for Rural and Community Banks

BANK OF GHANA DRAFT RISK MANAGEMENT GUIDELINES For Rural and Community Banks NOVEMBER, 2020

RISK MANAGEMENT GUIDELINES PAGE 1 CONTENTS LIST OF ACRONYMS AND ABBREVIATIONS...................................................................................... 3 1.0: INTRODUCTION AND ORGANISATION OF RISK MANAGEMENT GUIDELINES................... 5 1.1 INTRODUCTION TO RISK MANAGEMENT GUIDELINES......................................................................... 5 1.2 SCOPE OF GUIDELINES .................................................................................................................... 5 1.3 USE OF THE GUIDELINES.................................................................................................................. 6 PART I: PRELIMINARY........................................................................................................................... 7 2.0: RURAL BANK AND RISK MANAGEMENT................................................................................ 8 2.1 OVERVIEW ....................................................................................................................................... 8 2.2 RURAL BANK AND RISK ................................................................................................................... 8 2.3 EXPLANATION OF BASIC TERMINOLOGIES ........................................................................................ 8 2.4 FRAMEWORK FOR RISK MANAGEMENT IN RCBS .............................................................................. 9 PART II:RISK MANAGEMENT GUIDELINES (RMGS) FOR RURAL BANKS................................... 12 3.0: GUIDELINES ON ROLES AND RESPONSIBILITIES FOR RISK MANAGEMENT IN RCBS . 13 3.1 OVERVIEW ..................................................................................................................................... 13 3.2 BOARD RESPONSIBILITY FOR RISK MANAGEMENT IN THE RCB...................................................... 13 3.3 MANAGEMENT AND STAFF RESPONSIBILITY FOR RISK MANAGEMENT IN THE RCB......................... 13 3.4 RISK MANAGEMENT COMMITTEE.................................................................................................... 14 4.0: GUIDELINES FOR STRATEGIC RISK MANAGEMENT ........................................................... 16 4.1 OVERVIEW ..................................................................................................................................... 16 4.2 BOARD OVERSIGHT FOR STRATEGIC RISK MANAGEMENT .............................................................. 16 4.3 KEY MANAGEMENT PERSONNEL ROLE AND RESPONSIBILITY FOR STRATEGIC RISK MANAGEMENT 17 4.4 POLICIES AND PROCEDURES FRAMEWORK FOR STRATEGIC RISK MANAGEMENT ........................... 18 4.5 GUIDELINES FOR MEASUREMENT, MONITORING AND CONTROL OF STRATEGIC RISK MANAGEMENT21 4.6 INTERNAL CONTROLS OVER STRATEGIC RISK MANAGEMENT......................................................... 22 5.0: GUIDELINES FOR CREDIT RISK MANAGEMENT................................................................... 24 5.1 OVERVIEW ..................................................................................................................................... 24 5.2 BOARD OVERSIGHT FOR CREDIT RISK MANAGEMENT .................................................................... 24 5.3 KEY MANAGEMENT PERSONNEL ROLE AND RESPONSIBILITY FOR CREDIT RISK MANAGEMENT...... 25 5.4 POLICIES AND PROCEDURES FRAMEWORK FOR CREDIT RISK MANAGEMENT ................................. 26 5.5 GUIDELINES FOR MEASUREMENT, MONITORING AND CONTROL OF CREDIT RISK MANAGEMENT ..... 28 6.0: GUIDELINES FOR LIQUIDITY RISK MANAGEMENT .............................................................. 30 6.1 OVERVIEW ..................................................................................................................................... 30 6.2 BOARD OVERSIGHT FOR LIQUIDITY RISK MANAGEMENT................................................................. 30 6.3 KEY MANAGEMENT PERSONNEL ROLE AND RESPONSIBILITY FOR LIQUIDITY RISK MANAGEMENT .. 31 6.4 POLICIES AND PROCEDURES FRAMEWORK FOR LIQUIDITY RISK MANAGEMENT.............................. 32 6.5 GUIDELINES FOR MEASUREMENT, MONITORING AND CONTROL OF LIQUIDITY RISK MANAGEMENT . 34 6.6 INTERNAL CONTROLS OVER LIQUIDITY RISK MANAGEMENT ........................................................... 35

RISK MANAGEMENT GUIDELINES PAGE 2 7.0: GUIDELINES FOR INTEREST RATE RISK MANAGEMENT ................................................... 36 7.1 OVERVIEW ................................................................................................................................................. 36 7.2 BOARD OVERSIGHT FOR INTEREST RATE RISK MANAGEMENT ....................................................... 36 7.3 KEY MANAGEMENT PERSONNEL ROLE AND RESPONSIBILITY FOR INTEREST RATE RISK MANAGEMENT ...................................................................................................................................................... 37 7.4 POLICIES AND PROCEDURES FRAMEWORK FOR INTEREST RATE RISK MANAGEMENT .................... 37 7.5 GUIDELINES OF MEASUREMENT, MONITORING AND CONTROL OF INTEREST RATE RISK MANAGEMENT ...................................................................................................................................................... 38 7.6 INTERNAL CONTROLS OVER INTEREST RATE RISK MANAGEMENT .................................................. 39 8.0: GUIDELINES ON OPERATIONAL RISK MANAGEMENT........................................................ 40 8.1 OVERVIEW ..................................................................................................................................... 40 8.2 BOARD OVERSIGHT FOR OPERATIONAL RISK MANAGEMENT.......................................................... 40 8.3 KEY MANAGEMENT PERSONNEL ROLE AND RESPONSIBILITY FOR OPERATIONAL RISK MANAGEMENT ...................................................................................................................................................... 41 8.4 POLICIES AND PROCEDURES FRAMEWORK FOR OPERATIONAL RISK MANAGEMENT ...................... 41 8.5 GUIDELINES FOR MEASUREMENT, MONITORING AND CONTROL OF OPERATIONAL RISK MANAGEMENT ...................................................................................................................................................... 42 8.6 INTERNAL CONTROLS OVER OPERATIONAL RISK MANAGEMENT .................................................... 42 9.0: GUIDELINES FOR FRAUD RISK MANAGEMENT.................................................................... 44 9.1 OVERVIEW ..................................................................................................................................... 44 9.2 BOARD OVERSIGHT FOR FRAUD RISK MANAGEMENT ..................................................................... 44 9.3 KEY MANAGEMENT PERSONNELROLE AND RESPONSIBILITY FOR FRAUD RISK MANAGEMENT ....... 44 9.4 POLICIES AND PROCEDURES FRAMEWORK FOR FRAUD RISK MANAGEMENT.................................. 45 9.5 GUIDELINES OF MEASUREMENT, MONITORING AND CONTROL OF FRAUD RISK MANAGEMENT........ 45 9.6 INTERNAL CONTROLS OVER FRAUD RISK MANAGEMENT................................................................ 46 10.0: GUIDELINES FOR INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT. 47 10.1 OVERVIEW ..................................................................................................................................... 47 10.2 BOARD OVERSIGHT FOR INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT ............. 47 10.3 KEY MANAGEMENT PERSONNEL ROLE AND RESPONSIBILITY FOR INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT........................................................................................................ 48 10.4 POLICIES AND PROCEDURES FRAMEWORK FOR INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT................................................................................................................................ 48 10.5 GUIDELINES OF MEASUREMENT, MONITORING AND CONTROL OF INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT........................................................................................................ 49 10.6 INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT ........ 49 11.0: GUIDELINES FOR RAPID GROWTH AND EXPANSION RISK.............................................. 52 11.1 OVERVIEW ..................................................................................................................................... 52 11.2 BOARD OVERSIGHT FOR RAPID GROWTH AND EXPANSION RISK .................................................... 52 11.3 KEY MANAGEMENT PERSONNEL ROLES AND RESPONSIBILITY FOR RAPID GROWTH AND EXPANSION RISK .............................................................................................................................................. 52 11.4 POLICIES AND PROCEDURES FRAMEWORK FOR RAPID GROWTH AND EXPANSION RISK................. 53 11.5 GUIDELINES FOR MEASUREMENT, MONITORING AND CONTROL OF RAPID GROWTH AND EXPANSION RISK .............................................................................................................................................. 53

RISK MANAGEMENT GUIDELINES PAGE 3 11.6 INTERNAL CONTROLS OVER RAPID GROWTH AND EXPANSION RISK............................................... 54 12.0: GUIDELINES ON PRODUCT RISK MANAGEMENT............................................................... 55 12.1 OVERVIEW ..................................................................................................................................... 55 12.2 BOARD OVERSIGHT FOR PRODUCT RISK MANAGEMENT................................................................. 55 12.3 KEY MANAGEMENT PERSONNELROLES AND RESPONSIBILITY FOR PRODUCT RISK MANAGEMENT. 55 12.4 POLICIES AND PROCEDURES FRAMEWORK FOR PRODUCT RISK MANAGEMENT ............................. 55 12.5 GUIDELINES FOR MEASUREMENT, MONITORING AND CONTROL OF PRODUCT RISK MANAGEMENT . 56 12.6 INTERNAL CONTROLS OVER PRODUCT RISK MANAGEMENT ........................................................... 56 PART III: ANNEXURES..................................................................................................................... 52 ANNEX 1: RURAL BANK INDUSTRY: BENCHMARK AND TOOLS FOR RCB RISK MANAGEMENT ...................................................................................................................................................... 53 ANNEX 2: RURAL BANK INDUSTRY – RISK ANALYSIS FORM (TEMPLATE)............................. 57 ANNEX 3: SAMPLE 5X5 RISK ASSESSMENT MATRIX.................................................................. 58 ANNEX 4: SAMPLE SEVERITY MATRIX FOR RISK AND IMPACT MEASUREMENT................... 59 ANNEX 5: SAMPLE KEY RISK INDICATORS TRACKING TEMPLATE.......................................... 60 ANNEX 6: SAMPLE TERMS OF REFERENCE OF RISK MANAGEMENT COMMITTEE (RMC) ... 61 ANNEX 7: ROLES AND RESPONSIBILITY MATRIX FOR RISK MANAGEMENT.......................... 63 ANNEX 8: TOOLS AND TECHNIQUES FOR RISK IDENTIFICATION AND ASSESSMENT......... 64 ANNEX 9: SAMPLE FRAUD POLICY................................................................................................ 65 ANNEX 10: ADDITIONAL RISK MANAGEMENT TERMINOLOGIES.............................................. 66 LIST OF ACRONYMS AND ABBREVIATIONS ALCO Asset-Liability Management Committee BoG Bank of Ghana BPEST Business, Political, Economic, Social, Technological Analysis IT Information Technology KRI Key Risk Indicators RCBs Rural and Community Banks MIS Management Information Systems PAR Portfolio At Risk PESTLE Political, Economic, Social, Technology, Legal, Environment RMC Risk Management Committee

RISK MANAGEMENT GUIDELINES PAGE 4 RMGs Risk Management Guidelines SWOT Strengths, Weaknesses, Opportunities and Threats

RISK MANAGEMENT GUIDELINES PAGE 5 1.0: INTRODUCTION AND ORGANISATION OF RISK MANAGEMENT GUIDELINES 1.1 Introduction to Risk Management Guidelines

1. The risk management guidelines have been designed to provide a framework within which regulated Rural Bank Banks (RCBs) will establish a culture of risk management in their respective institutions.
2. The risk management guidelines take their root from the Banks and Specialised Deposit￾Taking Institutions Act, 2016 (Act 930), as well as best practices of the Rural Banking subsector.
3. The risk management guidelines will ensure among other things that, RCBs have a structured approach to risk management that meets the minimum standards expected of them. The guidelines set out the minimum standard provisions on policies and procedures that would have to be covered in the various policies and procedures manuals used by the RCBs. The guidelines will also provide RCBs with the needed guidance to protect their institutions from losses; protect and attract capital; instill confidence in the regulator and other stakeholders through the adoption of measures that promote stability in Rural Banks and the wider financial sector.
4. Further expectations of the risk management guidelines are that, the provisions will contribute to the creation of a culture of risk awareness in the RCBs, strengthen methodologies for risk identification, risk measurement, risk mitigation, risk monitoring and reporting. RCBs would be expected to use the guidelines for the formulation of RCB specific risk management systems that will meet their unique needs. 1.2 Scope of Guidelines
5. The guidelines are organized into three parts:
6. Part I : Preliminary
7. Part II : Guidelines
8. Part III : Annexures
9. Part I – Preliminary, provides a general presentation on risk and benefits that accrue to RCBs that adopt standard and basic risk management practices. It also explains some of the basic but critical risk management terminologies that are mentioned in the specific guidelines.
10. Part II – Guidelines, presents the detailed risk management guidelines. The specific guidelines covered are guidelines for strategic risk management; guidelines for credit risk management; guidelines for liquidity risk management; guidelines for interest rate risk management; guidelines for operational risk management; guidelines for fraud risk management; guidelines for information technology and systems risk management; guidelines for rapid growth and expansion risk management and guidelines for product risk management.
11. The Part III – Annexures, contains templates and schedules that complement provisions included in the guidelines.

RISK MANAGEMENT GUIDELINES PAGE 6 1.3 Use of the Guidelines 10. The RCB’s risk management system has to be designed to meet the threats posed by its business model. The risks will vary significantly depending on the permissible activities, markets and clients served, products, ownership and capital structure, management and staff quality, outreach and degree of computerization among others. However, the provisions in the guidelines are designed to cover the significant risk types encountered by the RCBs. 11. The risk management guidelines shall form the basic standards to be considered by all RCBs with respect to, structures, roles and responsibilities for risk management within the RCB, risk identification, risk measurement, risk mitigation, risk monitoring and reporting. 12. There is no one size fits all risk management system for all Rural Banks. Each RCB will therefore be required to develop appropriate methodologies comprising tools and techniques for identifying, measuring, mitigating, monitoring and reporting of risks in the RCB, as well as the structures, roles and responsibilities for effective risk management. 13. RCBs may be required during Bank of Ghana On-site examination to show their manuals on risk management and evidence of its application. The adequacy or otherwise of an RCB’s risk management system shall be reviewed by the Bank of Ghana during its examinations. The ARB Apex Bank and the Association of Rural Banks may also use the adoption of risk management practices through well documented guidelines as part of conditions for remaining a member in good standing.

RISK MANAGEMENT GUIDELINES PAGE 7 PART I: PRELIMINARY

RISK MANAGEMENT GUIDELINES PAGE 8 2.0: RURAL BANK AND RISK MANAGEMENT 2.1 Overview 14. The financial intermediation function of RCBs exposes them to a lot of uncertainties which if not managed effectively can lead to business failure. Part I of the document provides summary statements on Rural Banks and risk. It emphasizes the importance of risk management and the priority RCBs have to attach to issues of risk and risk management. Basic terminologies including risk, risk management, risk management system, risk management framework, tolerable limits and internal controls are explained. 2.2 Rural Bank and Risk 15. Rural and Community Banks are specilaised deposit-taking institutions enaged primarily in deposit-taking business within a defined catchment area1 . 16. The range of financial services include savings, credit and payment services. Risk is an integral part of activities carried out during financial intermediation. The mobilization of savings and granting of credits for example, are basic activities that give rise to risk in the operations of the RCBs. 17. Given that risk is part of financial intermediation, RCBs cannot afford to ignore risk. It is therefore important for RCBs to adopt strategies that will facilitate effective and efficient management of risk for the RCB to be successful and meet set financial and social goals. 18. The benefits of an effective risk management system include a profitable and sustainable RCB. RCBs are able to make educated and informed decisions and increase their capacity to protect existing capital and attract new capital. 2.3 Explanation of Basic Terminologies 19. Risk: Risk is the potential that current and future events, expected or not, may have an adverse or harmful impact on the RCB’s capital, reputation, objectives or earnings among others. 20. Risk Management: Risk management is the process of managing the probability or the severity of the adverse event to an acceptable range or within limits set by the RCB. It is a continual process of systematically identifying, measuring, mitigating, monitoring and reporting the risks in the RCB. This will ensure that the RCB undertakes its operations in a manner that balances risk and reward. 21. Risk Management System: A risk management system is a method of systematically identifying, assessing and managing the various risks faced by an RCB. 22. Risk Management Framework: A risk management framework is a guide for RCBs to design an integrated and comprehensive risk management system that helps them focus on the important risks in an effective and efficient manner. A comprehensive approach to risk management ensures adequate focus and management of all risks that have the potential to adversely affect the RCB.

1 Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 9 23. Risk Tolerable Limits: These are ceilings that cannot be exceeded as they would expose the RCB to undue risk with potentially serious loss consequences. Risk tolerable limits are approved by the Board. 24. Loss Tolerance Levels: These are the amount of loss that an RCB is prepared to endure as part of ongoing business operations. Risk tolerance levels are approved by the Board. 25. Trigger Values: These are values of indicators intended to trigger discussion among the Management and Board to understand the causes and assure themselves that the RCB is still well protected. 26. Risk Indicators: These are metrics used by institutions to provide early signals of increasing risk exposures in various functional areas of the RCB. 27. Risk Management Tools: These are specific tools for risk identification, risk measurement, risk prioritizing and developing reponses. 28. Board of Directors: Board of Directors or ‘Board’ as used in the guidelines also applies to Executive Councils and Advisory Committees. 29. Senior Management: Key Management Personnel in the context of the risk management guidelines refers to the highest decision-making group of executives. The team is usually made up of the Chief Executive Officer and heads of departments. Where the RCB has a Management Team as its highest executive decision-making group, the Management Team automatically assumes the role of “Senior Management” as referred to in the guidelines. 2.4 Framework for Risk Management in RCBs 30. Effective risk management is a continual process of interrelated activities that focus on identifying, measuring, mitigating, monitoring and reporting risks in the institution. A risk management system has to cover these basic elements. 31. Risk Identification: This is the process of identifying the various risks in the activities carried out by the RCB in its operations. For example, processes relating to savings mobilization, lending and recruitment have risks that would have to be identified. These risks may include risk of loss of deposits mobilized, risk of default with respect to loans taken by borrowers and risk of fraud by employees. Risk is identified through a combination of tools and techniques including team brainstorming, incidence investigations, examination reports, SWOT analysis and benchmarking. It is not a one￾off process but a continuous process that has to be understood by all stakeholders of the RCB. 32. Risk Measurement: This is the process through which an RCB assesses the significance of each identified risk. Basic risk measurement covers the determination of the probability that the risk will occur and its potential impact on the RCB’s capital, earnings and profitability among other impact areas if it occurs. Without effective risk measurement, an RCB may pay attention to all risks equally and lose out on the significant ones, thus jeopardizing its operations. Risk measurement therefore facilitates

RISK MANAGEMENT GUIDELINES PAGE 10 prioritization of identified risks. Each RCB must have established limits for risk exposure which basically measures the extent to which an RCB can take losses without causing business failure. A risk severity matrix is one tool used for risk measurement. Each RCB has to formulate a severity matrix in line with its risk appetite and use that to measure identified risks. A sample severity matrix is presented as Annex 4 33. Risk Mitigation: Also known as risk control or minimization, risk mitigation is the process aimed at reducing risks measured as significant and outside the RCB’s risk tolerable limits. All risks are mitigated through the institution of strategies and controls (preventive, corrective and detective controls). However, in mitigating or controlling risks considered significant, an RCB’s Key Management Personnel may avoid an entire activity, introduce controls to contain the risk and put measures in place to minimize the impact of the risk on the RCB if the risk occurs. Management has to ensure that at all times, the cost of mitigating a potential loss is not higher than the envisaged loss. 34. Risk Monitoring: This is the process of tracking the identified risk indicators to ensure that, the RCB’s Key Management Personnel are abreast with changes in the identified risks and their main causes. It is also to ensure that new risks are identified early and further assure the Board and Key Management Personnel that the mitigating factors (controls) are working adequately. Effective risk monitoring and reporting depends on an effective Management Information System. Risk registers and risk tracking schedules facilitate effective monitoring. 35. Effective risk management takes place at three broad levels that need to be understood by RCBs. The three (3) broad levels are presented. i. Strategic level: Strategic level refers to the highest level of decision making on the organizational structure. It includes risk management functions performed by the Board and Key Management Personnel of the RCB. The core activities carried out at the strategic level include identification and definition of risks; ascertaining RCB’s risk appetite; formulating strategies and policies for managing risks and establishment of adequate systems and controls to ensure that overall RCB risk remain within acceptable levels. ii. Macro Level: The second level is mostly middle level managers who are in charge of risk management at departments and other business units such as branches within the RCB. The risk management activities at this level include ensuring operational staff are implementing measures and providing input for strengthening risk management process. iii. Micro Level: Micro level largely refers to operational activities carried out by individual staff in their daily decision making activities where most of the risks originate from. Individuals at micro level are seen as taking risk on behalf of the RCB in their daily activities such as account opening, deposit mobilization and initiation of credit activities. The risk management activities at this level comprise strict compliance with documented procedures and operational guidelines. 2.5 Other Ingredients to Risk Management 36. Importance of MIS and Data Collection to Risk Management: Effective risk management relies on accurate and readily available data. RCBs must strive to install

RISK MANAGEMENT GUIDELINES PAGE 11 effective and robust Management Information Systems (MIS) and data collection and tracking mechanisms. The type of data collected and tracked will vary based on the type of risk under consideration. RCBs should therefore understand the individual risks they plan to control to determine collection and tracking of appropriate data. A reliable MIS is key to risk measurement, tracking of identified risks through risk registers and schedules, monitoring and reporting. Effective MIS is also important for the generation of various models for testing capacity of RCBs to respond to various degrees of risk.

RISK MANAGEMENT GUIDELINES PAGE 12 PART II:RISK MANAGEMENT GUIDELINES (RMGs) FOR RURAL BANKS

RISK MANAGEMENT GUIDELINES PAGE 13 3.0: GUIDELINES ON ROLES AND RESPONSIBILITIES FOR RISK MANAGEMENT IN RCBs 3.1 Overview 37. An effective risk management system is realised in an environment where there is clarity on the structures for risk management and assignment of roles and responsibilities. The RCB has to specify who has authority to take actions on its behalf because these have direct implications on the design and implementation of an effective risk management framework in the RCB. Although the ultimate accountability for risk management rests with the Board of directors, this is mostly executed through Key Management Personnel and staff. The guidelines provide a framework on roles and responsibilities as well as structures for risk management in the RCB. 3.2 Board Responsibility for Risk Management in the RCB 38. The Board of the RCB oversees the operations of the RCB and is an important check on management’s performance including risk management. The Board’s responsibility for risk management emanates from provisions in various laws and regulations. Section 56 (d) of the Banks and Specialised Deposit-taking Institutions Act, 2019 (Act 930) 2 for example enjoins Bank of Ghana to ensure prudent operation including matters relating to risk management. The RCB Board has to ensure compliance with the provisions of this section. 39. The Board shall be responsible for ensuring the establishment and operation of an effective risk management system in line with the provisions of this Act. The Board shall also have responsibility for the level of risk assumed by the RCB. To carry out the responsibilities effectively, RCB Boards need to be fully aware of risk management methodologies. This shall be further strengthened through participation in training in Rural Bank risk management within twelve months of appointment. 40. The Board shall ensure Key Management Personnel and other staff responsible for managing RCB risk go through training in risk management and have appropriate expertise for the risk management function. 41. The Board shall ensure the RCB adopts and implements sound methodologies for the identification, measurement, mitigation, and monitoring of risks. 42. In ensuring that the RCB adopts sound methodologies for risk management, the Board shall have responsibility for approving all policies for the RCB including all risk management policies, procedures and strategies; ensure availability of required resources, compliance with approved risk management policies, procedures and strategies; continually assess the relevance of the policies, procedures and strategies in line with existing and emerging risk and hold management accountable. 3.3 Management and Staff Responsibility for Risk Management in the RCB 43. Senior Management: The Key Management Personnel team of the RCB shall have responsibility for designing the system for risk management, development of policies,

2 Banks and Specialised Deposit-taking Institutiion Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 14 procedures and strategies for Board approval; and assign responsibilities for the implementation of various components of the risk management system, policies, procedures and strategies. Key Management Personnel shall further ensure that RCB employs individuals with the appropriate competencies for their roles and are given continuous and relevant training to perform their assigned duties; ensure individuals are assigned clear duties and the magnitude of risk in the duties is adequately addressed; maintain open communication that allows managers and staff to identify and report emerging risks; and ensure reasonable segregation of duties as well as appropriate supervisory controls are implemented in the RCB. 44. Branch Management: Branch management and other senior staff of the RCB shall have responsibility for implementation of the approved policies, procedures and strategies; monitoring of adherence to the provisions of the policies, procedures and strategies; and provision of feedback to Key Management Personnel on the suitability or otherwise of the general and specific controls in the various policies and procedures manuals. 45. Operational Staff: RCB operational staff have responsibility to comply with policies and procedures for mitigating risks in their respective work schedules; provision of feedback on the effectiveness and practicality of existing controls; and offering suggestions for improving overall RCB risk management process. 46. Internal Audit: Each RCB shall have internal audit as part of its internal controls as outlined in the Section 59 of the Banks and Specialised Depsoit-Taking Institutions Act, (Act 930)3 . Internal audit shall have the responsibility to review efficiency and effectiveness of risk management in the operations of the RCB, make recommendations and report to the Board. Internal audit shall specifically verify and report on compliance with approved policies and procedures as well as the identification of uncontrolled risks. The findings and recommendations from the internal audit function shall serve as input for identifying new risks and strengthening of controls. 3.4 Risk Management Committee 47. The RCB Board shall ensure the RCB institutes a Risk Management Committee. A Risk Management Committee (RMC) is a committee that draws its membership from Key Management Personnel and key functional managers to focus on the RCB’s important risks and controls. The RMC serves as a platform for anticipating and managing existing and new risks across the various business departments and units. 48. As part of its responsibilities, the RMC coordinates the identification, measurement, mitigation, monitoring and reporting of risks. The RMC shall conduct a centralized review of all risk management policies on annual basis to make sure these are effective and are updated appropriately. 49. The Risk Management Committee shall be a separate committee or an existing

3 Section 59 of the Banks and Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 15 Management Team may have its mandate expanded to include the responsibilities of a Risk Management Committee. The Risk Management Committee shall meet at least once a month and report its findings on quarterly basis to the Board of directors. 50. A member of the Risk Management Committee shall be nominated as the risk management coordinator. The coordinator will be responsible for arranging meetings, coordination with individual members and ensure documentation of meeting proceedings. The Internal Auditor shall not be part of the Risk Management Committee.

RISK MANAGEMENT GUIDELINES PAGE 16 4.0: GUIDELINES FOR STRATEGIC RISK MANAGEMENT 4.1 Overview 51. Rural Bank strategic risk comprises those uncertainties that emanate from poor strategic business decisions and or ineffective implementation of these decisions with potential adverse impact on the RCB’s earnings, capital and long-term survival. This risk includes poor leadership and ineffective governance from the Board and senior management; inability to proactively identify and respond to changes in the business environment as well as non-compliance with regulatory requirements. 52. The main causes of strategic risk include absence of a functioning Board, weak Board composition, poor oversight by the Board, a Board and Key Management Personnel team that lack industry knowledge to make effective decisions; absence of a well￾defined business model that positions the RCB to remain competitive and profitable to achieve its mission; and absence of a well thought through long term plan that is executed to ensure attainment of business objectives. The guidelines on strategic risk management address four risks: governance risk, business environment risk, reputation risk, regulatory and legal compliance risks. 4.2 Board Oversight for Strategic Risk Management 53. The RCB Board has overall responsibility for the management of strategic risk. The Board shall ensure the RCB has in place documented vision and mission statements as well as core values that are known to all stakeholders. The Board shall also ensure the existence of a documented business model, business objectives and strategies that facilitate the attainment of the objectives of the RCB in a sustainable manner. 54. The Board, as part of its oversight responsibilities shall discharge those responsibilities included in the various laws and guidelines such as the Companies Act, and the the Banks and Specialised Deposit-Taking Institutions Act 2016, (Act 930) as well as other best practices for RCBs. The specifics are:  The Board is responsible for the good corporate governance and business performance of the RCB.  The Board shall ensure it is in full control of the affairs and business of the RCB and that business is conducted in a safe and sound manner.  The Board shall ensure its size meets the minimum requirements with respect to number, has appropriate mix of skills and at least fifty percent (50%) of the Directors have adequate knowledge and experience in Rural Bank operations and management in order to carry out its mandate.  The Board shall ensure members receive appropriate training in courses relevant for Rural Bank operations and management.  The Board shall ensure the RCB has a strong strategic planning framework which produces a strategic plan and or business plan that takes into consideration the dictates of the regulatory and business environment.

RISK MANAGEMENT GUIDELINES PAGE 17  The Board shall constitute a competent management team to execute the objectives and strategies it has approved.  Ensure management develops a strategic and or business plan that clarifies RCB’s business model in line with its permissible activities, demonstrates actions that will facilitate attainment of strategies in the strategic plan, shows operational and financial performance objectives and how resources shall be mobilised and allocated to achieve these objectives.  Ensure the RCB has put in place appropriate organisational structure that facilitates attainment of organisational objectives; management and staff requirements for achieving organisational objectives; management information systems that ensure availability of reliable and timely information for decision making; reporting and tracking of key performance indicators, strategies and attainment of objectives.  Ensure RCB complies with all regulatory requirements including strict compliance with permissible activities for its category of RCB; minimum capital requirements; governance requirements; operating norms and reporting requirements. 4.3 Key Management Personnel Role and Responsibility for Strategic Risk Management 55. The RCB’s Key Management Personnel team led by its Chief Executive Officer, shall have responsibility for ensuring appropriate measures are in place to mitigate strategic risks. The Key Management Personnel team shall undertake the following among others:  Work with the Board to formulate RCB vision, mission and core values.  Furnish the Board with relevant and current data that facilitate effective strategy formulation and strategic decision-making. Data shall include, but not limited to current and expected economic indicators and their implications for the RCB business and its operations, market size and market share, competition and competitors’ activities.  Work with the Board to develop objectives and broad strategies geared towards attainment of the mission of the RCB.  Develop appropriate business model and supporting business plan for the attainment of RCB objectives and submit to the Board for their review and approval.  Identify and inform the Board on all existing and emerging risks that will affect the attainment of corporate objectives and formulate strategies for reducing the likelihood of these occurring and impact of the respective risks.  Ensure all initiatives including new products, new markets, recruitment, information technology and systems are subjected to a thorough process of risk identification and measurement to determine the significant risks and their potential impact on the business of the RCB if any of these risks should occur.  Conduct internal and external institutional assessment at least once each year to document Strengths, Weaknesses, Opportunities and Threats (SWOT) detailing strategies for sustaining strengths, taking advantage of opportunities, addressing weaknesses and threats for the attention of the Board. The basic external

RISK MANAGEMENT GUIDELINES PAGE 18 environment assessment tool of PESTLE – Political, Economic, Social, Technology, Legal and Environment could be used for the generation of opportunities and threats.  Ensure staff risk awareness and compliance is heightened through measures such as staff orientation, staff training and review of compliance through performance assessment processes.  Ensure periodic and timely reporting to the Board on the overall performance of the RCB and assurance of the RCB’s compliance with regulatory provisions. Management reporting to the Board shall be at least once a quarter and preferably before the meeting of the Board. 4.4 Policies and Procedures Framework for Strategic Risk Management 56. RCBs have to adopt appropriate policies and procedures that help reduce the probability of various strategic risks occurring and mitigating the impact if any should occur. These policies and procedures are directed at achieving the vision, mission and objectives of the RCB in line with the overall risk management framework of the RCB. 4.4.1 Governance Risk 57. The nature of RCB ownership structure, size and operations expose it to the risk of poor corporate governance practices with its attendant implications of inadequate board oversight and absence of strategic direction for RCBs to achieve their missions. Governance gaps include lack of understanding of the concept of Rural Bank and roles of the Board as well as the absence of distinction between responsibilities of the Board and Key Management Personnelleading to the Board’s involvement in the day to day operations of the RCB. The management of governance risk contributes significantly to the attainment of RCB objectives and ensures business sustainability. 58. Policies and procedures that contribute towards the management of governance risk are highlighted:  The RCB Board shall adopt a board manual that among others, shall spell out the mandate and duties of the Board and individual directors including legal obligations, need to provide strategic direction to the RCB, fiduciary obligations and exercise of oversight; board composition and performance assessment; board development and training; board succession; board conduct and meeting management.  There are clear lines of authority and clarification of roles and responsibilities for the Board and Key Management Personnel to avoid co-mingling of responsibilities.  The Board’s mandate is understood by all Board members and Key Management Personnel and these are adhered to by the respective parties.  The Board shall exercise oversight with respect to management responsibilities and hold Key Management Personnel accountable for the implementation of approved strategic decisions through a well laid out accountability and feedback framework.  The Board shall determine its their information needs and demand access to relevant information on periodic basis to perform their mandate. Standard report formats and contents shall be agreed to meet the needs of the Board.

RISK MANAGEMENT GUIDELINES PAGE 19  The Board and Key Management Personnel shall identify governance risks and develop strategies for mitigating these risks.  For each of the significant risks, the Board shall ensure that, these are assigned to responsible staff such that there is a risk owner for each significant risk.  The Board and Key Management Personnel shall adopt a framework for annual review of the internal and external business environment using techniques such as SWOT and PESTLE. 59. The policies and procedures shall ensure identification of emerging risks relating to business performance and continuity. Specific strategies shall be outlined to address the identified risks as presented:  The Board and Key Management Personnel shall periodically review operations of the RCB in line with approved strategies to ensure that deviations are identified early and addressed by the responsible persons.  The Board shall ensure that Key Management Personnel has a mechanism for carrying out training needs assessment, development of training plan and training budget for the Board and Key Management Personnel training in compliance with the requirements of the Business Rules and Sanctions for RCBs.  Key Management Personnel shall establish guidelines for adopting appropriate Management Information System (MIS) that facilitates generation of timely reports for board and management decision making as well regulatory reporting – prudential and other statutory reporting.  Key Management Personnel shall assure the Board through reports that, it is operating within its mandate, carrying out only permissible activities and complying with other regulatory requirements. 4.4.2 Business Environment Risk 60. RCBs operate in the wider business environment and are affected by changes in the environment. The nature of operations and interactions with the external environment expose RCBs and their business activities to various business risks. Natural events, political instability, broad economic performance and economic decisions, competition and activities of competitors are some of the causes of business environment risks. RCB Board and Key Management Personnel need to anticipate these changes and institute measures to respond to them. 61. Specific policies and procedures that are considered relevant are presented:  The Board and Key Management Personnel of the RCB, shall through its strategic planning process identify all the risks inherent in the business environment that can affect achievement of its business objectives. This shall be based on the use of past trends, expert opinions, environmental factors, socio-economic trends and assumptions on how current and future events shall turn out.  The RCB shall include in its strategy documents and business plan, specific measures aimed at addressing the potential threats it has identified under various assumptions and scenarios, to minimise their potential impact on the RCB and its plans for realising available opportunities in the business environment.

RISK MANAGEMENT GUIDELINES PAGE 20  The RCB shall institute mechanisms to periodically test the effectiveness of the measures it has outlined to minimise external risks and document results from these tests. The mechanisms shall include but not limited to variance analyses of planned and actual external events with clear statements on causes of variances that are outside tolerable limits, and the measures to address these variances. 4.4.3 Reputational Risk 62. The Rural Banking subsector and individual RCBs face various degrees of credibility challenges that can have adverse effects on their operations. Reputation risk refers to the risk to earnings or capital arising from negative public opinion, which may affect an RCB’s ability to mobilize and retain savings, extend credit and receive payment from borrowers, and have access to competitive capital and other resources needed for its operations. 63. Activities that can bring an RCB into disrepute include, inability to return deposits on demand, inconsistencies and inaccuracies in client records on loans, investments and savings, extending credit for illegal activities and other unethical behaviours of individual directors, management and staff. 64. Specific guidelines to be observed in reducing the likelihood of reputation risk and mitigating its potential effect on RCB earnings and capital are presented:  RCBs should recognise their reputation and that of the industry as an intangible asset to be protected. RCBs should work at creating awareness among staff and other stakeholders on the importance of reputation and the need to preserve RCB and industry reputation.  RCBs shall through a formal process identify activities and events with the potential to bringing the RCB and wider Rural Bank industry into disrepute and put measures in place to reduce the likelihood of these events occurring and corrective measures such as public and press briefings to mitigate the effect of these risks if any should occur.  RCBs need to sign and comply with industry code of ethics and Rural Bank industry initiatives such as responsible inclusive finance as will be adopted by the ARB Apex Bank  RCBs should maintain transparent and open communication lines with the regulator, donors and partners, clients and other industry stakeholders to minimise miscommunication and related challenges.  Maintain information system that ensures accurate and timely reconciliation of client accounts, effective and efficient business operations management, reporting to regulators and other key stakeholders. 4.4.4 Regulatory and Legal Compliance Risk 65. RCBs operate in a regulated environment and are therefore required to comply with the provisions of applicable laws, rules and regulations. There are however, instances in

RISK MANAGEMENT GUIDELINES PAGE 21 which RCBs either fail to comply or comply partially with these provisions which expose RCBs to compliance risk. Non-compliance exposes the affected RCB to sanctions including various forms of penalties and fines and can also result in withdrawal of RCB licence. 66. RCBs therefore need to continuously identify compliance related risks and institute mechanisms for reducing the likelihood of non-compliance and measures to recover quickly if this should occur. 67. Specific guidelines to be observed in reducing the likelihood of compliance risk and mitigating its potential impact are presented:  The Board and Key Management Personnel of the RCB have to adopt approaches that ensure continuous identification of key regulatory and legal provisions that have to be observed; assess RCB’s capacity to meet the provisions and weigh the risks in not meeting these provisions; formulate strategies that ensure the significant risks are adequately mitigated.  The Board and Key Management Personnel of the RCB have to ensure continuous compliance with all relevant laws and regulations particularly licensing, regulatory and business operating norms emanating from national and local authorities as well as their relevant reporting requirements. Examples of compliance areas include, minimum capital requirements, prudential and market conduct reporting, as well as assembly operating licences.  The Board has to ensure the RCB has an open relationship with the regulator regarding its operations, open up for onsite supervision, facilitate offsite supervision and seek the needed support and cooperation from the regulator.  The Board, Key Management Personnel and staff require appropriate training to understand specific provisions relating to their schedules in meeting all prudential and non-prudential requirements.  The Board, Key Management Personnel and staff have to participate in programmes organised by the Regulator and Industry Associations aimed at educating them on regulatory and other compliance requirements. 4.5 Guidelines for Measurement, Monitoring and Control of Strategic Risk Management 68. In measuring the probability and potential impact of the various strategic risks on the RCB, the Board and Key Management Personnel will focus on the adequacy of internal policies and procedures as well as the extent to which these policies and procedures are effective to control the occurrence and mitigate the potential effect of identified risks. The RCB’s risk severity matrix will serve as a guide for measuring the various risks. Key risk indicators will include number of board members, number of board meetings for a defined period, quality of board oversight, minimum capital level and capital adequacy ratios, market size and market share among others.

RISK MANAGEMENT GUIDELINES PAGE 22 69. RCBs should have a structured approach for the collection and analysis of data on a continuous basis. The type of data to be collected and monitored by the Board and Key Management Personnel are presented:  Economic data with relevance for the Rural Banking subsector including inflation, interest rates, treasury bill rates and general lending rates among others.  Government initiatives and programmes announced in development plans, policies and budgets that have implications for the Rural Bank industry.  Periodic pronouncements of the regulator through notices and letters should be monitored, and their implications for the various components of strategic risk analysed.  Media publications and changes in the industry landscape should be continuously monitored and implications for the RCB and Rural Banking subsector brought to the attention of the Board by Senior Management.  Data on business performance including competition, market size, estimated market share, performance of individual products; performance and branches and staff productivity.  The performance of the RCB’s strategic and business plans should be reviewed periodically, at least once a year.  The performance of the RCB’s annual budget should be discussed on quarterly basis. The Board should be furnished with management accounts that show quarterly budget and actual performance that spells out the variances, causes of significant variances outside tolerable limits and actions to address performance outside acceptable limits. 4.6 Internal Controls over Strategic Risk Management 70. An effective internal control system ensures that RCBs function effectively. Appropriate internal controls are required over strategic risk to assure the Board and Key Management Personnel that potential risks are kept under control. 71. The specific internal controls to be observed by RCBs include the following:  Organizational structure: The RCB has in place an organisational structure that provides clarity on various departments and organisational units, clarifies functions, authority levels and reporting lines of the various departments and organisational units with respect to the formulation and responsibility for the various objectives and strategies included in strategic and business plans as well as for the implementation of approved plans and initiatives.  Segregation of duties: As much as possible the RCB has shown adequate segregation of duties among the key organisational actors. Effective segregation is important for the Board to supervise the Key Management Personnel and for the Key Management Personnel to supervise other staff levels. Separation over initiations, approvals/authorisations and executions are critical to ensure that potential risks are minimised.

RISK MANAGEMENT GUIDELINES PAGE 23  Reporting: A defined mechanism for reporting on the outturn of the approved plans and initiatives, clarifying responsibility for reports and reporting, format and content of reports, and periodicity of reporting shall be established and complied with.  Management Information System: A reliable infrastructure and structure for collating, analysing and reporting on critical information for management decision making is in place.  Independent Checks: A framework for carrying out independent checks is required to periodically assure the Board, Key Management Personnel and other stakeholders on the effectiveness of controls put in place to mitigate strategic risks. Independent checks shall be carried out by RCBs Internal Auditor.

RISK MANAGEMENT GUIDELINES PAGE 24 5.0: GUIDELINES FOR CREDIT RISK MANAGEMENT 5.1 Overview 72. The RCBs are mandated by their permissible activities to extend and credit face several uncertainties inherent in the lending activity. These uncertainties can have adverse effects on their institution’s capital and earning capacity. This may occur as a result of the loss of income resulting from the RCB’s inability to collect all or part of the envisaged interest earnings on due dates as well as the potential loss of the principal amount due to loan defaults. Credit risk and its management is even more important given that, for most RCBs that are permitted to lend, the loan portfolio is the largest earning asset and has the highest risk among financial assets. Credit risk also triggers other risks such as liquidity and reputation risks. 73. RCB credit risk has two major components, transaction risk and portfolio risk. The transaction risk relates to uncertainties that arise from the individual or group loans. Portfolio risk arises out of the combined risks from the individual and group loans. 74. The main causes of credit risk emanate from both internal and external sources. These include: absence of sound lending methodologies that can reduce potential credit risk; non-usage of credit reference bureaus that can facilitate identification of clients with bad credit history; absence of and in some cases non-compliance with laid down credit management policies and procedures; the inability or unwillingness of the borrower to keep to the loan obligations; poor credit product and client matching; over concentration of loans in one client, sector, product or branch; poor portfolio tracking, monitoring and reporting; and natural disasters. An effective framework is therefore required for managing credit risk to keep the RCBs credit risk exposure within tolerable limits. 5.2 Board Oversight for Credit Risk Management 75. The Board has oversight responsibility for credit risk management. As part of this, the Board has to ensure that, the RCBs Key Management Personnel puts in place a credit risk management strategy that outlines the major risks anticipated in the individual loans and the loan portfolio as well as the specific policies and procedures designed to mitigate the identified risks. 76. The specific responsibilities of the Board shall include the following:  Ensure RCB complies with the provisions on Credit Operations, Exposure Rules/Restrictions on Lending and Portfolio Management Norms4 .  Ensure RCB has a credit strategy that is part of the strategic and or business plan and includes targets for growth, portfolio quality and profit among other critical factors.

4 Section 57 of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 25  Review and approval of the RCB’s chosen market, targeted loan clients and loan products.  Approval of the risk tolerable levels and policies that ensure RCBs do not operate outside the risk tolerable levels.  Ensure RCB keeps within the approved polices such as those relating to markets, clients, sectors and concentration limits.  Ensure internal capacity exists for credit risk management among the Key Management Personnel, Branch Management and operational staff.  Ensure the RCB has a sound methodology for the identification, measurement and mitigation of credit related risk.  Demand and review loan portfolio reports with focus on actual performance compared to approved budget, sources of loanable funds, trends in disbursement, various sectors and their respective proportions, loan sizes, portfolio quality ratios and reasonableness of the provisions for doubtful debts and rescheduled loans.  Request annual independent review of credit management within the RCB to assess the state of compliance and effectiveness of the approved policies and procedures.  Satisfy itself that the requirements of the regulator with respect to the individual loan transactions and loan portfolio in areas such as provisioning and write offs, renegotiation and rescheduling, related and connected parties are adhered to.  Ensure that the management information system that generates reports on the performance and quality of loan portfolio is reliable and has capacity to generate detailed analyses and ratios to facilitate decision making at Key Management Personnel and Board levels.

5.3 Key Management Personnel Role and Responsibility for Credit Risk Management 77. RCB Key Management Personnel has the responsibility to develop sound policies and procedures on credit risk management for board approval and ensure these are implemented as part of the RCB’s operational activities to lower the probability of credit risk and its eventual impact. 78. RCB Key Management Personnel shall be responsible for the following among others:  Establish RCB’s credit risk tolerable levels for Board consideration and approval.  Develop detailed credit strategy that addresses growth targets, portfolio quality targets, profit targets, specific markets, and specific sectors and segments to serve as well as products for the respective markets.  Develop sufficient policies and procedures that facilitate achievement of goals in the credit strategy.  Put measures in place to ensure staff responsible for credit management are appropriately trained and they adhere to the relevant policies and procedures.

RISK MANAGEMENT GUIDELINES PAGE 26  Establish a sound credit risk management system that facilitates credit risk identification, assessment, mitigation, testing, monitoring and reporting for Board approval.  Generate and review loan portfolio reports at least once a month. For each of the reports, compare actual performance to approved budget and explain causes of significant variances; analyse and report on the sources of loanable funds; analyse trends in disbursement, loans to various sectors and their proportions; analyse portfolio quality and ratios and assess reasonableness of the provisions for doubtful debts, renegotiated and rescheduled loans and report same to the Board.  Ensure compliance with all requirements of the regulator with respect to the individual loan transactions and loan portfolio.  Ensure that the management information system generates timely and reliable reports on the performance of loan portfolio to facilitate decision making and reporting to the board. 5.4 Policies and Procedures Framework for Credit Risk Management 79. Each RCB shall be required to adopt policies and procedures that keep credit risk exposures within tolerable limits. These are mostly captured in a “Credit Management Policies and Procedures Manual”. The policies and procedures shall cover the following as a minimum:  There has to be a credit philosophy that drives the RCB in its credit business. The credit philosophy shall outline the broad rationale for extending credit and broad strategies that ensure the expectations outlined in the philosophy are achieved.  Provide for the establishment of a credit (loans) management committee that also has responsibility for credit risk management in its terms of reference.  RCB has in place a market assessment criteria that guides selection of markets to serve, with clarity on economic sectors, geographical areas and client profiles to be covered and measures for ensuring the matching of credit products to the needs of the market.  RCB shall adopt a formal approach for risk identification through market assessment, market and portfolio review; risk measurement through review of the quality of existing controls and mitigating factors in respect of each identified risk; selection of significant risks and provision of measures to address these risks.  Provide detailed step-by-step procedures covering the process of educating potential clients on loan products, product features and client responsibilities; documentation and actions on completion of client application; elements of application review and loan appraisal.  Provide guidance on how to review the loan applicant’s industry to establish trends in the industry; critical review of purpose of credit and source of repayment for the loan; assessment of adequacy of the requested loan amount compared to the purpose of the loan; assessment of adequacy of cashflow from the repayment source and its consistency through the life of the loan; reference checking on credit history

RISK MANAGEMENT GUIDELINES PAGE 27 of applicant where available; assessment of ability and willingness of the client to comply with the loan contract.  Provide procedures to check and ensure that credit products are appropriate for the target market and do not harm individual clients. Measures that ensure the RCB satisfies itself that loan client’s quality of life will not worsen because of loan repayment shall be adopted as part of measures to reduce the risk of client over￾indebtedness.  Policies on loan sizes are established in accordance with regulatory provisions and for the various categories of clients, secured and unsecured loans.  Policies and supporting procedures are instituted to ensure that single party exposures are within tolerable and regulatory limits; related party and connected lending transactions are within the regulatory provisions to control the risks that arise from these types of transactions.  Policies on the use of collateral and other guarantee schemes are established and procedures for implementing these policies are outlined. Steps to minimize the risk inherent in the type of collateral pledged should be reviewed and outlined.  Statements on portfolio diversification and avoidance of loan concentration along individual products, industry and sector limits as well as branch and geographical locations shall be established with the broad objective of minimizing concentration risk.  RCBs have to document detailed descriptions of processes guiding loan documentations and file management requirements with the supporting procedures to be followed by the respective schedule officers.  Establish policy on portfolio reporting and its scope including level of details such as reporting up to branch, officer and product levels; key performance and risk indicators to be highlighted in the portfolio report such as portfolio at risk (PAR) ratio, arrears rate and other repayment performance measures, ageing analysis and variances between budgeted and actual results.  Establish policy on loan monitoring, outlining procedures for selecting clients for monitoring, signs to look out for during monitoring, questions to ask and client education during monitoring and post monitoring reporting. Monitoring reports and schedules to be generated during monitoring should show among others, clients visited, findings, state of the loans and recommendations.  Description of key credit risk indicators to be monitored and tracked as part of portfolio quality management including portfolio at risk ratio, arrears and collection rates.  Provide strategies for managing delinquent loans and loans in default with attention to the use of appropriate collection methods. Where the RCB uses a collection agency it would have to clarify the treatment of loan clients to avoid the use of inappropriate collection methods.

RISK MANAGEMENT GUIDELINES PAGE 28  Establish procedures for educating staff and clients on the RCB’s credit philosophy, credit policies and procedures to enhance awareness and compliance.  Outline specific steps to follow in computing provisions and eventual write-off, re￾scheduling and renegotiation of loans should be outlined and be in compliance with the write off policy of the Guide for financial publication for Banks and BOG Licensned Financial Institutions, 2017. 5.5 Guidelines for measurement, Monitoring and Control of Credit Risk Management 80. Credit risk measurement adopted by the RCB, shall be in line with the provisions in the institution’s risk severity matrix and as compared to tolerable risk limits established by the RCBs. Each of the identified credit risks shall be evaluated with respect to the probability that the risk will occur and the potential impact on capital and earnings to determine the significance of the risk and the appropriate treatment it should be given. 81. Risk indicators that can be used for purposes of measurement include average loan sizes, portfolio at risk ratio, collection rates, arrears rate, loan loss ratios and write off amounts. The indicators are key and tracking them helps in assessing the direction of the key risks. 82. RCB credit risk monitoring and control is achieved through continuous review at on and off sites with focus on individual, group and business loans. The loan portfolio quality indicators shall be monitored continuously through the tracking of key credit risk indicators to ensure immediate action can be taken at the least sign of deterioration. 83. RCB credit risk monitoring should also be designed to facilitate assessment of the extent to which provisions in the respective loan contracts are complied with especially for high credit exposures. Results from monitoring that shows some indicators are outside the tolerable limits shall form the basis for decision making in areas such as, review of credit philosophy, market selection, suspension of products from the market, stoppage of lending activities of officers, and branches with deteriorating portfolios and the enforcement of collection strategies. 5.6 Internal Controls over Credit Risk Management 84. Internal controls to observe in respect of credit risk management are presented.  Organisational Structure: The RCB shall have clear demarcation of departments and units that have responsibilities for credit and credit risk management; structures shall clarify authority for initiation, approval and accountability for the various stages in the process of credit administration and management. A credit committee with responsibility for the review and approval of credit proposals and overall credit risk management shall be established.  Segregation of Duties: Depending on the size of the RCB, adequate segregation of duties in the credit management process shall be instituted and adhered to in the absence of which there must be strong supervisory controls.  Establishment of Limits: Credit approval limits shall be established and maintained for each loan product, authority level, individual, branch and committee. Credit approvals are important to be turned into various limits.

RISK MANAGEMENT GUIDELINES PAGE 29  Documentation: Documents shall be completed for each loan and verified by a designated officer separate from the officer who compiled the documentation.  Approval Authority: Each loan recommendation shall be approved in writing and or completion of designated sections of the application form prior to disbursement.  Custody: RCB shall ensure safe custody and easy retrieval of information in respect of loans.  Monitoring: Each loan shall be monitored through its life cycle by designated staff who shall have documentary evidence to show that monitoring has been done.  Compliance with Policies and Procedures: The Board and Key Management Personnel shall ensure that credit policies and procedures are communicated to and complied with all actors involved in credit management process.  Management Information System: Key Management Personnel has to ensure the system for collecting and analysing credit transactions and data is reliable and generates accurate data on timely basis to facilitate effective credit risk decision making. The MIS facilitates portfolio analyses at various levels of aggregation and disaggregation.

RISK MANAGEMENT GUIDELINES PAGE 30 6.0: GUIDELINES FOR LIQUIDITY RISK MANAGEMENT 6.1 Overview 85. The financial intermediation function carried out by RCBs requires of them to maintain adequate level of liquid assets to be able to meet payment calls on deposit liabilities. This implies that, an RCB has to strive to have sufficient liquid assets to meet its own operating requirements and the demands of its depositors. Liquidity risk of the RCB is the possibility that the interest of the RCB, its owners, clients, staff and other stakeholders could be adversely affected due to the inability of the RCB to meet its cash obligations in a timely and cost-efficient way. 86. The key causes of liquidity risk include low and depleting capital levels due to persistent loss making, Senior Management’s inability to accurately and adequately plan for changes in sources and uses of cash, rapid expansion and growth, excessive asset acquisition, diversion of funds, fraud, suppression of cash, unsustainable high charges and expenses on financial liabilities (savings and investments mobilized), poor credit decisions leading to delays and non-payment of loan obligations by loan clients. 87. RCBs need to maintain liquidity positions in line with provisions for liquidity requirements in the Banks and Deposit-Taking Institutions Act, 2016 (Act 930) for RCBs 5 . The maintenance of appropriate liquidity position will enable RCBs to meet withdrawal demands by investment and savings clients; meet operational other operational requests as they fall due and make investments in earning assets to generate income to meet the cost of the financial liabilities. 88. Poor liquidity management by the RCB can lead to other forms of risk, including non￾compliance and reputation risks, as RCBs are unable to meet their obligations to both savings and loans clients and in worst case, business failure risk. Given the importance of effective liquidity management for RCB profitability and sustainability as well as financial sector stability, all RCBs need to watch the key indicators that point to liquidity risk. 89. The early indicators of liquidity risk include, declining trend in the financial performance of loan product(s); deteriorating portfolio quality as measured by portfolio at risk ratios, collection and arrears rates; deteriorating net-worth, decline in earnings and profitability; and funding of non-earning assets with savings deposit. 6.2 Board Oversight for Liquidity Risk Management 90. The RCB Board has overall responsibility for ensuring that the RCB adopts measures to ensure it has adequate liquidity to meet its obligations and minimise the liquidity risk exposure to tolerable limits. In exercising the oversight, the Board has a responsibility to educate itself on the key issues that drive liquidity risk and to satisfy itself that, the RCB has established the appropriate liquidity risk management framework that keeps the exposure within acceptable limits.

5 Section 36 of the Banks and Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 31 91. The Board’s duties with respect to liquidity risk management includes but are not limited to the following:  Ensure the RCB has satisfactory structures and systems in place for liquidity risk management including the identification, measurement, mitigation and monitoring of liquidity risk.  Set liquidity risk tolerable limits to guide management in its operations.  Ensure the RCB has documented policies and procedures. The policies and procedures shall meet the provisions of the Guide for reporting Institutions for Rural / Community Banks and other related practices.  Understand the nature of liquidity risk that confronts the RCB and the wider Rural Bank industry so as to exercise effective oversight.  Ensure RCB managers and staff with responsibility for liquidity risk management have the requisite background and competence to perform the assigned tasks.  Ensure RCB has a functioning and effective Management Information System in place to facilitate data management, analysis, forecasting, tracking and reporting on liquidity management. 6.3 Key Management Personnel Role and Responsibility for Liquidity Risk Management 92. The criticality of liquidity risk for the profitability and sustainability of the RCB requires that RCB Key Management Personnel team devotes the needed attention to liquidity risk management. The specific responsibilities of Key Management Personnel include:  Develop policies and procedures to guide the management of liquidity risk in line with RCB’s overall business model and strategy; provisions of the Guide for Financial Publication for Banks and BOG licensed Financial Institutions and to meet the liquidity risk tolerable limits set by the Board.  Assume direct responsibility for the implementation of policies and procedures developed to facilitate effective liquidity risk management.  Ensure compliance with regulator’s provisions with respect to liquidity management, compliance with various reserves, investments in approved instruments and other prudential requirements6 .  Anticipate various scenarios with respect to the RCB liquidity levels through stress testing and assess RCB’s capacity to respond to the various scenarios.  Communicate various liquidity risk management strategies to all responsible staff to ensure compliance with the various strategies.  Ensure adequate internal controls exist in support of the overall liquidity risk management process.

6 Section 34, 36 and 73 of Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 32  Update the Board periodically on the appropriateness or otherwise of the liquidity risk management practices and bring any emerging and early warning signals to the Board’s attention.  Continuously review the appropriateness of the measures established for liquidity risk management and make recommendations which are deemed appropriate for approval by the RCB Board. 6.4 Policies and Procedures Framework for Liquidity Risk Management 93. The size of the RCB and its business model will influence the policies and procedures that should guide liquidity risk management. These are mostly captured in “Asset and Liability Management or Treaury or Operational Manuals”. The manuals will have to meet the following basic requirements as a minimum:  RCBs must have a liquidity management strategy that outlines specific goals to be met by the liquidity risk management system, specific measurable objectives to be achieved as part of the liquidity risk management, detailed strategies for achieving the objectives and performance indicators for tracking and verification.  All RCBs shall have in place documented policies and procedures on liquidity risk management. This shall either be a liquidity policy manual or a subset of an asset and liability management policies and procedures manual or operational manual.  Determine techniques for identifying all activities and events that have the likelihood of causing liquidity risk such as declining deposits, rapid withdrawal, deteriorating loan portfolio, incident investigations, client interviews.  Provide guidance on the specific liquidity risk management tools and techniques available for identifying, measuring, mitigating, monitoring, controlling and reporting liquidity risk. Tools shall include the establishment of liquidity limits, key liquidity risk indicators such as liquidity ratios, liquid assets as a percentage of short term liabilities and templates for analysis and reporting.  The liquidity management policies and procedures manual shall list all the steps with their associated processes and tools considered necessary to implement the liquidity risk management policies to meet best practices and requirements of the various regulations and rules.  RCBs shall outline the mix of assets and liabilities that will meet the desired level of liquidity requirements in line with the provisions of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)7 . Mechanisms for ensuring continuous compliance shall be established.  Establish the key funding sources available to the RCB to meet its maturing obligations and outline the contribution of each source to the pool of funds while ensuring there is no overreliance on one source of funding through the establishment of limits for each category of funding source.

7 Section 34, 36 and 73 of Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 33  Establish clear structures that facilitate liquidity risk management, outlining lines of authority and reporting including committees and respective individuals that are charged with specific responsibilities. An Asset-Liability Management Committee (ALCO) is recommended to be instituted by medium to large RCBs, with small sized RCBs ensuring a schedule officer is in charge of coordinating activities relating to asset-liability management.  Clarify roles and responsibilities for the various liquidity risk management functions and tasks including planning and forecasting, review, monitoring and reporting.  RCBs shall aim to have a stable and diversified funding structure. This shall be realized through the periodic assessment of each funding source to identify those sources considered more stable, those that are considered unstable and those in between the two. The categorization shall serve as input for estimating available liquidity for purposes of planning. Stability shall be measured by the estimated duration of retention.  Maintain a vault/safe cash policy that balances the need to hold cash to meet envisaged cash requirements -withdrawals and expenses - while at the same time minimising the level of non-earning assets such as cash. Where the RCB operates a branch, there shall be limits for each branch with respect to cash holding based on the historical trend of deposits, withdrawals and the net positions as adjusted with respect to expected seasonal changes. As much as possible, RCBs should not apply the same holding limit across all branches although the same formulae can be used for determining the cash holding for the branches.  Liquidity management strategy shall be communicated to all relevant staff through training and enforcement. Staff shall be made aware of how their actions and inactions such as low savings mobilization and inability to collect repayment due affect liquidity risk.  Establish framework for generating a rolling cashflow projection which estimates the RCB’s inflows and outflows and by extension the net deficit or surplus. The schedule of projection should be detailed (daily, weekly, fortnight, and monthly) to facilitate the identification of potential gap areas that have to be planned for. Given that shorter cashflow durations can be more accurately predicted, projections for the first month could have the first week or the first two weeks projected on daily basis and the subsequent months on weekly basis. The behaviour of savings and loan clients and the seasonalities in their businesses should be factored into the projections to approximate expected net cash positions.  Establish framework for generating liquidity contingency plans that spell out various stress scenarios and strategies for addressing the scenarios in response to potential liquidity crises. Stress scenarios may include a mix of higher percentage withdrawal than planned or expected; lower percentage of deposit mobilization than expected and higher proportion of disinvestment prior to maturity date. This will ensure the generation of various stress scenarios to test RCB’s capacity to respond to various

RISK MANAGEMENT GUIDELINES PAGE 34 liquidity scenarios and address risks that may emerge from these respective scenarios.  Liquidity risk management policies and procedures shall be reviewed at least once a year and updated with emerging risks and strategies for improving the RCB’s liquidity risk management practices.  Implement a robust Management Information System that facilitates data entry, analyses, forecasting, stress scenario generation, monitoring and reporting. The system should have capacity to aggregate and disaggregate data to facilitate generation of consolidated and disaggregated reports, daily internal report generation that will hint of any potential liquidity challenge. Specific outputs will be changes in largest account savings and investment account holders; trends in the repayment practices of significant loan clients and overall loan portfolio; funding and maturity gap reports that will point to envisaged liquidity shortfalls; analysis of impact of changes in the market place and client behaviour on liquidity position. 6.5 Guidelines for Measurement, Monitoring and Control of Liquidity Risk Management 94. Liquidity risk measurement is a continuous activity of generating a schedule on all anticipated cashflows and outflows to identify potential shortfalls and surpluses. The net position should be adjusted to analyse the impact of changes in off- balance sheet events, changes in economic environment and market conditions. The liquidity exposures are further measured through the use of other tools and techniques such as the annual funding plan; contingency funding plan and various cashflow management and liquidity ratios. The net positions will be compared to the pre-determined tolerable limits as a basis for selecting mitigating strategies. 95. Other activities and events identified as potential causes of liquidity risk shall be measured using the RCB’s adopted risk severity matrix to determine the probability of the identified risks occurring and the potential impact if they occur. 96. Monitoring of liquidity risk exposure is a daily practice that has to be assigned to a designated responsible officer mandated to track the key risk indicators and ensure that the indicators remain within tolerable limits. Specific ratios to be tracked include cash and near cash items as a proportion of current liabilities; liquid assets /deposits; liquid assets /total assets; primary and secondary reserve ratios. 97. Liquidity monitoring shall be done at branches and head office to ensure complete coverage of events that may lead to unacceptable liquidity exposures. 98. Liquidity risk exposures shall be controlled through managing activities identified as key drivers such as quickening repayment collections, improving savings mobilization, reducing disbursement levels, negotiations with major providers of financial liabilities and use of established borrowing arrangements with institutions.

RISK MANAGEMENT GUIDELINES PAGE 35 6.6 Internal Controls over Liquidity Risk Management 99. Internal controls to observe in respect of liquidity risk management are presented.  Organisational Structure: Institute appropriate Board and management committees for liquidity risk management and assign duties to schedule officers whose work revolves around liquidity risk management.  Documentation: Processes to be followed in implementing liquidity risk management system shall be documented and updated where considered appropriate. All steps for generating stress scenarios and various contingency planning shall be documented.  Segregation of Duties: Ensure there is segregation between the officer who for example develops the projections and the one who reviews it. Given the small size of most RCBs, supervisory controls shall be exercised over the various projections and implementation of strategies for containing liquidity risk.  Review and Approval: Key Management Personnel should consistently review the strategies, policies and procedures for liquidity risk management and make appropriate changes for approval by the Board of directors. Implementation of strategies for addressing liquidity risk exposures shall be properly reviewed and approved to ensure limitation in further exposures.  Compliance with Policies and Procedures: Key Management Personnel should report to the Board on continuous compliance with approved liquidity risk management policies and procedures. Internal audit shall undertake comprehensive review of the liquidity management process and comment on weaknesses that need to be strengthened for the attention of the Board and Senior Management.  Management Information Systems: Ensure that MIS remains relevant for generating performance data which forms the basis for liquidity risk measurement, control, monitoring and management decision making.

RISK MANAGEMENT GUIDELINES PAGE 36 7.0: GUIDELINES FOR INTEREST RATE RISK MANAGEMENT 7.1 Overview 100. As part of the financial intermediation function, RCBs contract financial liabilities such as deposits and investments from the market and deploy same onto the market mostly through loans and investments to earn interest income that will be used to service the cost of the financial liabilities and also meet other operational and financial goals. Interest rate risk arises from the possibility of a change in the value of financial assets and financial liabilities in response to changes in the market interest rate. The change emerges from the nature and behaviour of financial assets and financial liabilities on the market and is sometimes referred to as asset and liability management risk. 101. The immediate effect of interest rate risk on the RCB is, reduced net interest earnings and profitability with the potential to affect the capital of the RCB. The main cause of interest rate risk among RCBs is due to the fact that, the cost of funds (financial liabilities) increases at a faster rate than the rate at which the RCB is willing or able to adjust its lending rates and rates of other financial assets. 102. There is the potential for the cost of funds (financial liabilities) to sometimes exceed the interest earned on financial assets, with resultant effect on the RCB’s earnings. These changes have impact on the underlying assets of RCBs, liabilities and in other cases off balance sheet items. Given the potential effect of this risk on RCB profitability and sustainability, it is important to have guidelines that provide direction for its management. 7.2 Board Oversight for Interest Rate Risk Management 103. The RCB Board has ultimate responsibility for managing interest rate risk. The Board has to ensure that, the RCB adopts business models and practices that minimise exposure to interest rate risk. 104. The Board’s specific responsibilities include but are not limited to the following:  Establish tolerable limits for interest rate risk management.  Approve broad strategies developed to guide the management of broad market and business related risks.  Approve policies and procedures designed for the management of interest rate risk including authority and responsibility levels.  Ensure communication of policies and procedures to all staff who need to know.  Ensure Key Management Personnel complies with the policies and procedures established for the management of interest rate risk.  Ensure interest rate risk and its causes are identified, measured, mitigated and monitored.  Ensure periodic review of the measures for mitigating interest rate risks and confirm relevance and continuous appropriateness.

RISK MANAGEMENT GUIDELINES PAGE 37 7.3 Key Management Personnel Role and Responsibility for Interest Rate Risk Management 105. RCB Key Management Personnel has daily responsibility for managing interest rate risk. The specific responsibilities include but are not limited to the following:  Develop interest rate risk management policies and procedures for Board review and approval.  Implement approved policies and procedures relating to interest rate risk management and related business practices that reinforce market risk management in general and interest rate risk management.  Ensure compliance with regulatory provisions that impact interest rate risk management.  Ensure compliance with the authority and responsibility levels approved by the Board.  Implement measures outlined for identifying, measuring, mitigating, monitoring and controlling of interest rate risks.  Implement and satisfy itself that there is compliance with the system of internal controls established to serve as effective check over the processes leading to the management of interest rate risks.  Maintain a Management Information System that facilitates the tracking and generation of appropriate reports in respect of interest rate risk management.  Periodically review the overall process of interest rate risk management and where necessary make appropriate recommendations for approval by the Board. 7.4 Policies and Procedures Framework for Interest Rate Risk Management 106. RCBs are required to put in place detailed policies and procedures for keeping interest rate risk in check. Although such policies and procedures will be influenced by the size of the RCB, type of business model operated and funding structure, there are basic policies and procedures that have to be considered. These are mostly captured in “Asset and Liability Management or Treaury or Operational Manuals” The policies and procedures are presented.  The RCB shall have its policies and procedures for interest rate risk management documented and approved by the Board.  The RCB shall have mechanisms to establish tolerable limits for interest rate risk.  The RCB shall establish quantitative parameters that define acceptable ranges of interest rate risk of the RCB.  The RCB shall determine upper limits and mix for various types of financial instruments and portfolios and ensure the upper limits are subject to review periodically.  The RCB shall describe instruments to be used for hedging and managing exposures that affect interest rate risk.

RISK MANAGEMENT GUIDELINES PAGE 38  The RCB shall describe structures and committees to be instituted to facilitate interest rate risk management.  The RCB shall clarify lines of responsibility, authority and accountability over the various stages of interest rate risk management.  The RCB shall establish mechanisms that facilitate the assessment of new initiatives, programmes, and products to assess their impact on the institution’s interest rate risk exposure and incorporate results of the assessment into the overall risk management process. 7.5 Guidelines of Measurement, Monitoring and Control of Interest Rate Risk Management 107. Specific guidelines for measurement, monitoring and control of interest rate risk are presented  RCBs have to adopt accurate and timely strategies for the measurement of interest rate risk for effective interest rate risk management. The measurement system should be structured to assess the effects of interest rate changes on both earnings and the economic value (or net worth) of the RCB.  The measurement system adopted should provide basis for determining the RCB’s current exposure.  The measurement system should focus on assessing all material interest rate risk associated with an RCB’s assets, liabilities and off-balance-sheet positions.  The measurement system should be built on generally accepted financial concepts and risk measurement techniques. The basic methods that can be used by RCBs to manage interest rate risk include gap analysis, duration measures, limits and stress testing. These are presented. 108. Gap Analysis: This is a method that distributes interest sensitive assets, liabilities and off-balance sheet position into time bands according to their respective maturities if these are fixed rates or time remaining to their next repricing if these are floating rates. The schedules can be used to generate simple indicators of the interest rate risk sensitivity of both earnings and economic value (net worth) to changing interest rates. The size of the gap for a given time band which is financial assets minus financial liabilities plus off-balance sheet exposures that have changing rates or mature within that time band provides an indication of the RCB’s repricing risk exposure. 109. Duration: Duration is a measure of the percentage change in economic value (net worth) of a position that will occur given a small change in the level of interest rates. A maturity/re-pricing schedule can also be used to evaluate the effects of changing interest rates on an RCB’s economic value (networth) by applying sensitivity weights to each time band. Typically, such weights are based on estimates of the assets and liabilities that fall into each time-band, where duration is a measure of the percent change in the economic value of a position that will occur given a small change in the level of interest rates. Duration-based weights can be used in combination with the gap

RISK MANAGEMENT GUIDELINES PAGE 39 analysis (maturity/repricing schedule) to provide an approximation of the change in an RCB’s economic value that would occur given a particular set of changes in market interest rates. 110. Limits: The goal of interest rate risk management is to maintain the RCB’s interest rate risk exposure within self-imposed parameters over a range of possible changes in interest rates. A system of interest rate risk limits and risk taking guidelines therefore provides the means for achieving that goal. This system sets boundaries for the level of interest rate risk for the RCB and where appropriate, should also provide the capability to allocate limits to individual portfolios, activities or business units. 111. Stress Testing: The risk measurement system should also support a meaningful evaluation of the effect of stressful market conditions on the RCB. The stress testing should be designed to provide information on the kinds of conditions under which the RCB’s strategies or positions would be most vulnerable so that it is tailored to the risk characteristics of the RCB. Possible stress scenarios might include abrupt changes in the general level of interest rates, changes in the relationships among key market rates (i.e., basis risk), changes in the slope and the shape of the yield curve (i.e., yield curve risk) and changes in the volatility of market rates. Additionally, stress scenarios should include conditions under which key business assumptions and parameters break down. 7.6 Internal Controls over Interest Rate Risk Management 112. RCBs must have strong and functioning internal controls that ensure the integrity of the interest rate risk management process. An effective system of internal controls over interest rate risk management requires the basic elements of internal controls to be in place.  Documentation: Processes to be followed in implementing interest rate risk management system shall be documented and updated when considered appropriate. All steps for generating gap analysis, stress testing and various projections shall be documented.  Review and Approval: Key Management Personnel should consistently review the strategies, policies and procedures for interest rate risk management and make appropriate changes for approval by the Board. Implementation of strategies for addressing interest rate risk exposures shall be properly reviewed and approved for implementation.  Compliance with Policies and Procedures: Key Management Personnel should report to the Board on continuous compliance with approved interest rate risk management policies and procedures. The RCB’s Internal Audit should undertake comprehensive review of the interest rate risk management process and comment on weaknesses that need to be strengthened for the attention of the Board and Senior Management.  Management Information Systems: Key Management Personnel should ensure that MIS remains relevant for generating performance data which forms the basis of interest rate risk measurement, control, monitoring and management decision making.

RISK MANAGEMENT GUIDELINES PAGE 40 8.0: GUIDELINES ON OPERATIONAL RISK MANAGEMENT 8.1 Overview 113. RCBs have human resources, processes and information technology systems among others that are used on daily basis in their operations. Operational risk includes the potential that, inadequate technology and information systems, operational challenges, insufficient human resources or fraud among others will result in unexpected losses that impact RCB’s earnings capacity and capital. Operational risks on their own are also drivers of other risks. For example, a poor management information system or its breakdown could trigger credit risk, reputation and non- compliance risks. 114. Key causes of operational risk include poor internal controls, non-adherence to controls built into processes over various transactions; lack of documentations; understaffing and overstaffing, hiring of unsuitable staff, high staff turnover and unclear staff responsibilities; improper supervision, infrequent reconciliations and weak monitoring; manual processing and weak controls in the information system. 115. The major mitigating strategies for operational risk include adoption of improved people management practices, documentation and enforcement of policies and procedures, clarity in responsibilities and use of robust Management Information Systems (MIS). 8.2 Board Oversight for Operational Risk Management 116. The Board has to ensure there are adequate measures in place to mitigate the adverse effects of operational risk on the RCB’s safety and soundness. The responsibilities of the Board regarding the management of operational risk include but are not limited to the following:  Ensure the RCB has a comprehensive strategy framework for the overall business that clarifies the corporate vision, mission, core values and business objectives for the medium term (3-5years).  Ensure RCB has mechanisms for identification of operational risks that can affect its operations; assessment of the identified risks; formulation of strategies for addressing the significant risks, monitoring and reporting.  Review and approve the various types of operational risk faced by the RCB and the strategies put in place for the mitigation of these risks.  Ensure the RCB has an appropriate organisational structure that clarifies various levels of organisational responsibility, authority and accountability.  Ensure RCB has adequate policies and procedures for the major functional areas of the RCB and these are complied with.  Ensure the establishment of a functioning internal control measures including internal audit function in line with the provisions of the Guide for Financial Publication for Banks and BOG Licensed Financial Institutions, 2017

RISK MANAGEMENT GUIDELINES PAGE 41 8.3 Key Management Personnel Role and Responsibility for Operational Risk Management 117. The Key Management Personnel of the RCB has responsibility for the day to day management of operational risk. The specific responsibilities include but are not limited to the following:  Develop detailed policies and procedures covering the various risk types encountered in operational risk for Board approval. These policies and procedures shall cover among others human resource management, information systems management and other back office operations.  Institute and ensure implementation of an effective mechanism for communicating with the staff policies and procedures designed to mitigate the significant operational risks faced by the RCB. Examples of channels are social media, news briefs and meetings.  Implement the approved policies and procedures and ensure business unit heads, branches and operational staff adhere to the implementation of the approved policies and procedures.  Implement and satisfy itself that strong internal controls are in place, are complied with, remain effective and are of continuous relevance to the measures put in place to manage operational risk.  Ensure the compliance to all relevant operational risk related provisions established by the regulator including careful selection of premises, staffing requirements, structure, processes and training of directors, management and staff.  Institute a reporting mechanism between the management and board that ensures board is adequately informed on operational risks, measures to mitigate significant risks and results from the monitoring. 8.4 Policies and Procedures Framework for Operational Risk Management 118. The policies and procedures provide framework and guidance for the identification and management of operational risk. These are mostly captured in various manuals such as, “Operational Manual, Internal Controls Manual, Human Resource Management Manual, Information Technology and Computer User Manual”. The main policies and procedures that will serve as minimum considerations in these manuals are presented:  Institute mechanism for conducting operational risk identification, assessment, mitigation, monitoring and reporting.  Design and operate a documented organisational structure that accommodates all departments and units of work organisation, organisational hierarchy, authority and accountability.  Departmental and unit mandates are adequately documented and staff job descriptions are current regarding job title, level in the RCB, reporting lines, detailed tasks for the job and performance indicators.  Adequate human resource management policies and procedures shall be in place covering the human resource management philosophy of the RCB, recruitment management, staff placement and progression; performance and reward

RISK MANAGEMENT GUIDELINES PAGE 42 management; succession planning; training and development; employee engagement and grievance handling mechanisms.  Institute policies and procedures for information technology and systems usage in the RCB to protect the integrity of the system.  Ensure back office operations such as processes for accounting and reporting, reconciliations and various transactions management are documented and implemented.  Ensure there are process maps covering key processes of the RCB including account opening, reconciliations, field operations and internal controls operated by the RCB.  Ensure physical controls over the RCB’s properties are in place and there are adequate provisions in ensuring that identified risks are effectively managed.  Institute mechanisms for periodic testing and review of RCB’s internal controls framework and generate proposals to enhance effectiveness. 8.5 Guidelines for Measurement, Monitoring and Control of Operational Risk Management 119. Operational risk shall be measured through key risk indicators such as staff numbers, staff turnover, staff productivity ratios, number of errors in a batch of processed transactions, number of complaints received from staff and clients with respect to operational lapses; number of unethical practices recorded; number and percentage of processes covered by documentations; number of information systems disruptions recorded during a defined period. 120. Monitoring and tracking of the key risk indicators have to be undertaken by the respective managers and officers with responsibility of the various functional areas as well as internal audit. 121. The risk indicators monitored shall be compared to the RCB’s risk tolerable limits to determine the status of broad operational risk and actions to be taken. Quarterly reports on key risk indicators and action taken as well as recommendations shall be prepared by the RMC and shared with the Board. 8.6 Internal Controls over Operational Risk Management 122. Internal controls to observe in respect of operational risk management are presented:  Organisational Structure: Institute appropriate organogram with supporting definition of mandates, authority and accountability structures.  Documentation: Adequate documentation exists in respect of all key processes in the RCB.  Segregation of Duties: Ensure there is segregation of duties among the staff to serve as checks on the various processes.  Review and Approval: Key Management Personnel is required to consistently review compliance with the policies and procedures as well as controls within the various transactional processes that require approval prior to posting and filing.

RISK MANAGEMENT GUIDELINES PAGE 43  Compliance with Policies and Procedures: Key Management Personnel is required to report to the Board continuous compliance with approved policies and procedures relating to human resource, information system and other back office operations.  Management Information Systems: Ensure that controls to minimize errors generated through MIS remain relevant and are complied with.

RISK MANAGEMENT GUIDELINES PAGE 44 9.0: GUIDELINES FOR FRAUD RISK MANAGEMENT 9.1 Overview 123. The operations of RCBs open them up to fraud risk which is the risk of loss of earnings or capital as a result of intentional deception by an employee or client or both, Board and Management. RCBs are susceptible to fraud especially due to weak internal controls or poor enforcement of controls; poor segregation of duties and absence of supervisory controls; weak management information system; recruitment of inappropriate staff; high staff turnover; rapid growth and expansion. 124. Activities that expose RCBs to fraud include deposit mobilization; loan appraisal, approval and disbursement; collection of repayment in cash, software changes and migration from manual to computerized systems. 125. Examples of fraud include direct theft of cash by staff, bribes, kickbacks, diversion of loan repayments and the use of RCB’s resources for personal benefit. Fraud risk can however, be managed through the institution of effective internal controls. 9.2 Board Oversight for Fraud Risk Management 126. The Board of directors has ultimate responsibility for ensuring that the RCB operates internal controls and systems that adequately verify, safeguard and maintain accountability of the assets of the RCB. 127. Responsibilities of the Board include but are not limited to the following:  Obtain understanding of the various RCB transactions and activities that expose it to fraud.  Ensure the RCB has adequate internal controls in respect of the various transactions and activities that expose the RCB to fraudulent activities.  Approve strategies, policies and procedures designed to facilitate fraud management including sanctions framework and ensure these are in line with provisions relating to fraud and fraud reporting in the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)8 .  Ensure management implements fraud management strategies and adheres to policies and procedures designed to facilitate fraud risk management. 9.3 Key Management PersonnelRole and Responsibility for Fraud Risk Management 128. Key Management Personnel has responsibility for managing the day to day operations of the RCB which creates opportunity for fraud. The roles and responsibilities of Key Management Personnel include but are not limited to the following:  Develop mechanisms for identification of opportunities for fraud including those in manual and computerised environments.  Develop strategies, policies and procedures for fraud management and seek approval of the Board of directors.  Implement and oversee effectiveness of programmes to create awareness of fraud management policies and procedures among staff and clients.

8 Section 58 and 120 of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)

RISK MANAGEMENT GUIDELINES PAGE 45  Comply with and verify adherence to all policies and procedures aimed at managing fraud risk.  Implement and verify adherence at all levels to internal controls established to safeguard and maintain accountability of the assets of the RCBs.  Report all fraud cases in line with the provisions relating to fraud reporting in the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)9 and implement sanctions in line with the RCB’s approved fraud management policy. 9.4 Policies and Procedures Framework for Fraud Risk Management 129. Fraud risk management is largely influenced by the implementation of various policies and procedures covering other functional areas and processes of the RCB. This notwithstanding, specific policies and procedures are required for fraud risk management. RCBs may choose to have detailed policies and procedures manuals on fraud management. The main polices and procedures to be covered in the manual will include the following:  Institute appropriate mechanisms for identifying the processes and transactions that open the RCB up to intentional deception and assess adequacy of controls over each of the identified processes. This shall include but not limited to the lending methodology (individual versus group lending) and supporting processes, deposit mobilization, account opening and access to RCB’s database.  For each of the identified risks, adopt the use of risk severity for measuring and prioritising significant risks and adopt well defined strategies for controlling and monitoring the prioritised risks.  Develop fraud management policy that clarifies activities that fall into the category of fraud, processes for investigating fraud and sanctions for various fraud types.  Institute steps for conducting fraud and incidence investigations and audit when this comes to the attention of Senior Management.  Design communication strategy on fraud reporting to provide information to client, staff and other stakeholders when fraud occurs.  Institute procedures to recover from fraud, including admission that fraud has occurred, reassurance to affected clients of RCB’s commitment to zero tolerance for fraud, strict enforcement of RCB policies and procedures, reinforcement of controls over operations and specifically around the area of fraud and enforcement of sanctions against perpetrators. 9.5 Guidelines of Measurement, Monitoring and Control of Fraud Risk Management 130. Management must institute appropriate mechanisms for identifying fraud risk points in the RCB’s operations. Each of the fraud risk points should be measured using the RCB’s predetermined risk severity matrix. The identified fraud risk points should be evaluated with respect to adequacy of preventive controls to reduce the probability of the risk occurring.

9 Section 120 of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930) .

RISK MANAGEMENT GUIDELINES PAGE 46 131. The identified fraud risks and measures shall be monitored and reported through a framework for tracking the risk indicators and events that constitute early warning signals of fraud. The indicators and events include missing documentation(receipt books and invoices); worsening PAR ratios and delinquent loans; cases of disregard for approved internal controls; absence of bank reconciliation and client loan and savings accounts reconciliation; weak or non-functioning software; suspense accounts; over reliance on use of cash; inadequate or complete lack of audit trails. 132. For each fraud case that has occurred and events tracked as potential causes of fraud, the RCB must compile quarterly reports for the attention of the Board and furnish Bank of Ghana with the fraud related information. The report has to indicate key actions taken to reinforce controls over fraud risks and to forestall any future ocurences. 9.6 Internal Controls over Fraud Risk Management 133. Internal controls over fraud risk are presented:  Organisational Structure: RCBs shall have an organizational structure that shows various functions, authority and accountability levels. Each department or work unit shall have a documented mandate that clarifies scope of responsibility to limit their operations and opportunity for fraud.  Documentation: All operational processes and transaction flows shall be documented and known to all staff.  Segregation of Duties: RCBs shall ensure there is segregation of duties such that one person does not initiate and complete a transaction. In the case of small sized RCBs that cannot afford segregation of duties in all processes, supervisory controls must be emphasized and adhered to.  Review and Approval: Key Management Personnel should consistently review documentations and completed transactions prior to approval.  Compliance with Policies and Procedures: Key Management Personnel should report to the Board continuous compliance with approved policies and procedures at all levels of the RCB.  Management Information Systems: Ensure that MIS remains relevant and facilitates the generation of accurate and timely reports for tracking variances and early warning signals of fraud. MIS should also facilitate the generation of audit trails.

RISK MANAGEMENT GUIDELINES PAGE 47 10.0: GUIDELINES FOR INFORMATION TECHNOLOGY AND SYSTEMS RISK MANAGEMENT 10.1 Overview 134. With the advancement in computer and Information Technology (IT), most RCBs have become increasingly dependent on computerised information systems to carry out their operations and to process, maintain and report essential information. Staff including accounting officer, loan officers, human resource officers and other operational staff use various levels of information technology. The level of computerisation however, varies from one RCB to the other. But any level of computerisation comprising the use of computers and supporting software applications can pose significant threat to the RCB’s operations and business continuity. 135. The risk inherent in computerisation can impact several other risks including credit risk, liquidity risk, regulatory, compliance and reputation risks. Potential risk areas include duplication of input; unauthorised access; data loss due to file damage, data corruption (manipulation), inadequate backup, fire, burglary, power failure (or fluctuations), viruses, absence of firewalls, computer fraud and absence of audit trails. 136. RCBs therefore need to be familiar with information technology and computer related risks to ensure they adopt relevant controls to reduce the probability of the risks occurring and mitigate their effect on the RCB should any of them occur. Information technology and computer related risks are very dynamic and there will be need for continuous search for and management of significant risks that can affect the operations of RCBs. 10.2 Board Oversight for Information Technology and Systems Risk Management 137. The Board has to ensure the RCB adopts appropriate information technology and computers that are required for current operations with the potential for accommodating future growth and expansion expectations. 138. The responsibilities of the Board shall include but not limited to the following:  The Board has to ensure it is familiar with information technology and computer usage in the Rural Bank business and assess their impact on the overall business operations, outreach, analyses and reporting, profitability and sustainability.  The Board has to familiarize itself with all the relevant risks that emanate from adoption of information technology and computers and assure itself that a system exists for the identification, measurement, control, monitoring and reporting of the risks.  The Board has to ensure the RCB has a service level agreement with the software provider and there are clear provisions on data confidentiality and post implementation support.  The Board has to satisfy itself at all times that the strategies, policies and procedures for mitigating information technology and computer related risks are relevant and adequate to address existing and emerging risks.  The Board has to ensure that Management evaluates and reports on the reliability of computerised data and the systems that process, maintain and report these data.

RISK MANAGEMENT GUIDELINES PAGE 48  The Board has to ensure that Management and staff have the capacity to use the computers and related applications and external auditors appointed for statutory audit have the competence and capacity to carry out computer based audit. 10.3 Key Management Personnel Role and Responsibility for Information Technology and Systems Risk Management 139. The Key Management Personnel team has responsibility for the planning, deployment and supervision of the day to day use of information technology and computers in the operations of the RCB. The responsibilities of Key Management Personnel shall include the following:  Determine for board approval the strategic role of information technology and related practices in the RCB, including cost implications, cost benefit analysis and availability of human resource capacity.  Identify the key risks emanating from the deployment of information technology and computerization, measure and prioritise the significant risks and propose mitigating strategies, policies and procedures for board approval.  Carry out implementation of strategies, policies and procedures for managing information technology and computer related risks.  Develop periodic report for the Board on the state of information technology and computer risks in the RCB and highlight issues and trends that must be brought to the Board’s attention.  Ensure staff receive orientation and training in policies and procedures as well as the use of the adopted information technology and computers – hardware and software.  Assure the board periodically of the integrity of the information technology and computerized system to maintain data integrity, safeguard assets, allow RCB objectives to be achieved effectively and efficiently. 10.4 Policies and Procedures Framework for Information Technology and Systems Risk Management 140. The main policies and procedures that have to be considered will include the following:  All considerations for the deployment of information technology and related computer hardware and software shall be in alignment with the overall RCB business goals and strategies.  Information technology and computer related expenses shall form part of the main budget and shall outline all envisaged cost relating to information technology needs assessment, acquisition of hardware and related software, maintenance and staff training.  Establish guidelines and standards pertaining to information technology security and information protection.  Establish procedures regarding data processing to meet organizational objectives, statutory requirements and other administrative requirements.

RISK MANAGEMENT GUIDELINES PAGE 49  Institute framework for logging all the transactions to build an audit trail file with sufficient information to identify the source of each transaction.  Institute mechanisms to assure that processing has been accurate and complete by performing a reconciliation of totals derived from input transactions to changes in data files maintained by the process; perform further validation of transactions by checking data for duplication and consistency with other information held by other parts of the system and maintain a log of the transactions processed.  Establish measures towards service continuity planning including availability of power and data backups.  Maintain a backup register to track all backups including internet backup.  The processes for collecting and analyzing data, storage and retrieval of data and reporting have to be documented. There must also be documentation of all forms of upgrades undertaken.  Institute information technology audit process to check among others, data integrity, protocols for processing, reporting and storage.  Conduct periodic assessment of user capacity and ensure adequate capacity building interventions are undertaken to address any emerging gaps.  Institute information technology user procedures that outline roles and responsibilities of staff who work within the information technology environment and use RCB computers and related software. 10.5 Guidelines of Measurement, Monitoring and Control of Information Technology and Systems Risk Management 141. Information technology systems risk is measured through an assessment of the probability of the identified risk occurring and the potential impact on the RCB if any of the identified risks occurs using the pre-determined risk severity matrix. Measurement of the effect of the risks on delays in operational activities, client dissatisfaction due to systems failure, inability to comply with regulatory reporting requirements and resultant sanctions are some of the impacts to consider in measuring the risks. Key risk indicators to be used include number of system downtimes over a period, duration of outage, responsive turnaround time. 142. Users of the information technology and the officer in charge of the information technology and computers shall monitor the key risks and report on changes in the risk levels and appropriateness of the controls. The observed and experienced risks shall be compared with the risk tolerable limits and appropriate strategies put in place to keep potential risks within the tolerable limits. 10.6 Internal Controls over Information Technology and Systems Risk Management 143. Information technology and computer systems work efficiently to achieve effective results if they are operated as designed. Many computers and software have inbuilt controls but have to operate within the RCB’s overall organisational framework.

RISK MANAGEMENT GUIDELINES PAGE 50 144. The key controls over and within information technology and computer usage that should be known and observed by RCBs are presented:  Organisational Structure: The place of information technology in the RCB’s organisational structure has to be at a level that ensures it provides the needed strategic and operational support expected of information technology and computers.  General Controls: Ensure RCB has detailed guidance on general controls to create the conducive environment for utilization of information technology and computers. These include controls over data centre operations including staff who enter data in software at the RCB and conditions under which this is done; system software acquisition and maintenance; access security, and application system maintenance.  Application Controls: These include controls that help to ensure the proper authorisation, completeness, accuracy, and validity of transactions, maintenance, and other types of data input.  Authorisation Controls: Authorisation controls help verify the identity and authority of the person desiring to attempt a procedure or an operation. This control is exercised through use of passwords, signatures and other advanced techniques. Such-controls ensure that only authorised persons have access to the computers and software and its use, to enter and/or alter transactions, to take information.  Logical Access Control: Logical Access controls are provided to protect the financial applications and underlying data files from unauthorised access, amendment or deletion. Logical access controls include the authority of a superior officer to approve postings.  Operation and File Controls: Operation and file controls are meant to ensure safeguarding the computer and computer files from unauthorised access, loss or theft. Controls relating to reception, conversion and processing of data and distribution of the final output promote the completeness and reliability of these operations and safeguard against the unauthorised processing of data or programmes. File controls and procedures adequately safeguard files and software against loss, misuse, theft, damage, unauthorised disclosure and accidental or deliberate corruption.  Change Management Controls: Change management controls are used to ensure that amendments to a computer system are properly authorised, tested, accepted and documented. Poor change controls could result in accidental or malicious changes to the software and data. Poorly designed changes could alter financial information and remove audit trails.  Information Technology Business Continuity Planning: These relate to adequate plans to resume business operations in general and specifically transaction processing and retrieval of stored data in the event of failure of computer operations. The degree of continuity planning will depend on the RCB’s dependence on computer processing. Disaster recovery planning for information technology and computer utilization should be treated as one element of the RCB’s overall business continuity plan. Back-up copies of systems software, financial applications and underlying data files should be taken regularly. Back-ups should be cycled through a number of generations by, for example, using daily, weekly, monthly and quarterly

RISK MANAGEMENT GUIDELINES PAGE 51 drives. Back-ups should be stored, together with a copy of the disaster recovery plan and systems documentation, in an off-site fire-safe.  Input Controls: The objective of Input controls is to ensure that the procedures and controls reasonably guarantee that the data received for processing are genuine, complete, not previously processed, accurate and properly authorized and data are entered accurately and without duplication. Input controls, for example controls over account opening is extremely important because one major source of error or fraud in computerized systems is incorrect or fraudulent client account opening.  Data Transmission Controls: These controls are built into IT Applications to ensure that data transmitted over local or wide area networks such as from head office to a branch is valid, accurate and complete. RCBs should ensure that there are adequate controls to reduce, to an acceptable level, the risk of data loss, unauthorised transactions being added and data corruption.  Processing Controls: Processing controls ensure complete and accurate processing of input and generated data. This objective is achieved by providing controls for adequately validating input and generated data, processing correct files, detecting and rejecting errors during processing and referring them back to the originators for re-processing, proper transfer of data from one processing stage to another, and checking control totals (established prior to processing) during or after processing.  Output Controls: These controls are incorporated to ensure that computer output is complete, accurate and correctly distributed. The output controls ensure that all output is produced and distributed on time, fully reconciled with pre-input control parameters, physically controlled at all times, depending on the confidentiality of the documents. Errors and exceptions should be properly investigated and acted upon.  Control over Output Files: Output files should be protected to reduce the risk of unauthorised amendment. Possible motivations for amending computer output include covering up unauthorised processing or manipulating undesirable financial results.

RISK MANAGEMENT GUIDELINES PAGE 52 11.0: GUIDELINES FOR RAPID GROWTH AND EXPANSION RISK 11.1 Overview 145. RCBs in their quest to provide services to their chosen markets seek to grow and expand their operations. This desire sometimes comes with various uncertainties that have implications for the eventual profitability and sustainability of the RCBs. Business growth and expansion has to be undertaken in a manner that ensures the RCB does not suffer through inadequate capital to support growth, mission drift, inappropriate organisational structure, inadequate and unskilled managers and staff. 11.2 Board Oversight for Rapid Growth and Expansion Risk 146. The Board shall ensure all plans of growth and expansion are documented and discussed for Board approval. This shall be sought through various documents such as strategic business plans and annual budgets. Expansion with respect to branch networks shall be in line with section 25 of the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930)for RCBs. 147. The Board shall satisfy itself that the implications of the expansion and growth in areas such as branch network expansion, increase in market operations and entry into new markets, increase in client numbers, introduction of new products, increase in loan portfolio and acquisition of capital assets among others are presented with supporting strategies on how the changes shall be funded, the availability of appropriately skilled managers and staff that will facilitate the realisation of growth and expansion objectives, organisational structure that facilitates efficiency and effectiveness. 11.3 Key Management Personnel Roles and Responsibility for Rapid Growth and Expansion Risk 148. The Key Management Personnel of the RCB contemplating growth and expansion plans shall document such plans for the consideration and approval of the Board. 149. Key Management Personnel shall consider all the uncertainties contained in the various plans and provide measures that will address such uncertainties. Specifically, Key Management Personnel shall:  Clarify the specific objectives of the growth and expansion plan and its alignment to the RCB’s vision and mission statement.  Source of funding for the respective plans, feasibility and cost-benefit analysis of the plans.  Indicate impact of the plans on capital and earnings potential of the RCB.  Present appropriate organisational structure that facilitates effectiveness, the needed human resource for the plans and how these will be sourced to support achievement of objectives.  List specific performance indicators such as increase in client numbers, liquidity ratios, staff turnover ratios and market share that can be used to track the performance of the growth and expansion plans.

RISK MANAGEMENT GUIDELINES PAGE 53 11.4 Policies and Procedures Framework for Rapid Growth and Expansion Risk 150. Policies and procedures to be observed in mitigating rapid growth and expansion risk are presented:  All growth and expansion plans shall be derived from the RCB’s strategic plan and or business plan that is approved by the board. Management shall not pursue any growth and expansion agenda that has not been approved as part of the strategic or business plan and included in the annual budget.  All growth and expansion plans shall be in line with the permissible activities of the RCB and shall meet all the regulatory requirements and benchmarks instituted by the regulator.  Each specific growth and expansion plan shall be reviewed thoroughly by management to identify all potential uncertainties inherent in the various activities. These uncertainties shall be listed and measures to address them clearly outlined for approval of the Board.  Detailed feasibility and supporting cost benefit analysis that addresses the impact on the RCB’s capital and earning capacity adequately outlined for assessment and review by the Board. The analyses shall specifically address issues of funding, availability especially of skilled and adequate managers and staff for implementation of the plans and initiatives, organisational structure that outlines reporting and accountability levels, adequacy of internal processes to facilitate achievement of expected objectives and management information system that facilitates reporting for periodic review of the impact of plans and initiatives on the RCB.  Institute mechanisms that facilitate succession to key positions in the RCB to ensure growth and expansion plans do not suffer from absence of appropriately skilled staff.  Implement internal communication plan that explains the objectives of the growth and expansion plans, expected roles and responsibilities of key stakeholders including staff, the need to adhere to RCB values linked to the growth and expansion plans.  Specific and relevant financial and operational performance indicators linked to the plans and initiatives shall be established and used to assess and monitor the implementation of the plans and initiatives. The specific objectives of the growth and expansion plan and its alignment to the RCB’s vision and mission statement. 11.5 Guidelines for Measurement, Monitoring and Control of Rapid Growth and Expansion Risk 151. Measurement of rapid growth and expansion risk shall be undertaken by assessing each of the identified risks in line with the RCB’s risk severity matrix.

RISK MANAGEMENT GUIDELINES PAGE 54 152. The various activities which give rise to the various risks shall be considered independently and jointly to determine whether these should be totally avoided or mitigated through other controls such as phasing and piloting. 153. Monitoring of the identified risks shall be undertaken through periodic review of the progress of the initiatives and plans. Monitoring and update reports shall be made available to the Board periodically. 154. Control measures shall be instituted to ensure that RCB does not incur costs that cannot be recovered from the plans and initiatives. 11.6 Internal Controls over Rapid Growth and Expansion Risk 155. Internal controls over rapid growth and expansion risk are presented.  Documentation: Processes to be followed in new initiatives and expansion programmes shall be fully documented.  Segregation of Duties: Ensure segregation of duties in expansion activities is maintained to minimize potential losses.  Review and Approval: Key Management Personnel should consistently review the strategies, policies and procedures for new plans and initiatives and seek approval of the Board of directors. Implementation of strategies for the initiatives and the risks shall be tracked and reported to the Board.  Compliance with Policies and Procedures: Key Management Personnel should report to the Board on continuous compliance with approved policies and procedures during expansion and should test effectiveness of controls in the light of growth and expansion for attention of the Board.  Management Information Systems: Ensure that MIS remains relevant for generating performance indicators and key results attributable to the expansion and growth initiatives.

RISK MANAGEMENT GUIDELINES PAGE 55 12.0: GUIDELINES ON PRODUCT RISK MANAGEMENT 12.1 Overview 156. RCBs in their bid to serve their clients and meet the competition introduce various products in the course of their operations. The introduction of new products or refining existing products come along with several uncertainties such as appropriateness of the product for the target market, product knowledge on the part of RCB staff, product profitability and the risk that such products may even fail entirely. It is important that the Board and Key Management Personnel team of RCBs institute measures to minimise the impact of such risks on the RCB’s capital, earnings and reputation among others. 12.2 Board Oversight for Product Risk Management 157. The Board has to approve the introduction of new products and ensure that all uncertainties inherent in new products are outlined and measures put in place to address the envisaged uncertainties. The Board shall carry this out through, a review of the product features and ensure these are in alignment with RCB mission, needs of target market and a review of profitability of the product. 158. The Board shall further ensure that products are in line with RCB’s permissible activities and all envisaged promotional strategies and distribution channels and overall compliance with regulatory pronouncements, best practices and internal policies on product development. 12.3 Key Management PersonnelRoles and Responsibility for Product Risk Management 159. Key Management Personnel shall develop a product development guideline that will be approved by the Board to guide operations of the RCB. Such a product development guide shall outline the detailed steps to be followed for the introduction of new products or refinement of existing ones. Key Management Personnel shall further ensure that each new product goes through these guidelines and assure the Board that all risks inherent in the products have been isolated and mitigating measures introduced. 12.4 Policies and Procedures Framework for Product Risk Management 160. Policies and procedures guiding the development and refinement of products which may normally be captured in the RCB’s “Operational Manual or Product Development Manual”are presented:  New products shall only be introduced after going through all laid down procedures and the approval of the Board and in compliance with BoG’s provisions on new products and services.  For each new product, management shall identify all inherent risks and provide specific mitigating measures for each of the identified risks prior to product launch.  Educate clients on new products and product features to ensure clients understand all product features to make well informed product choices  Establish the cost of introducing each new product and ensure that all costs associated with the new product are assigned for determining profitability of each of the products.

RISK MANAGEMENT GUIDELINES PAGE 56  Provide training for all staff on the new products to ensure product features are well known and understood by all staff especially those involved in sales of products.  Ensure that products meet the needs of targets markets and product features are not harmful to target clients. The RCB shall ensure appropriateness of product features, documentation of features and full disclosure of features and terms.  For each product envisaged by the RCB, management shall ensure it undertakes the following as a minimum: carry out a limited or expanded market survey to identify existing gaps in the market that can be met through the development of new products or refinement of existing products; estimate the size of the target market to assure itself that the market size is adequate to justify investment in new product development; support product feasibility analyses with financial projections that spell out the cost of product development and rollout strategies and the expected earnings attributable to the product; development of product with features that respond to the gaps identified in the market; piloting of products to assess suitability and market acceptance; decision on roll out of product based on results from piloting. 12.5 Guidelines for Measurement, Monitoring and Control of Product Risk Management 161. Measurement of product risk will be driven by assessment of each of the identified risks with respect to the probability or likelihood of the risk occurring and the potential impact on the RCB’s capital and earning capacity if the risks should occur. The potential loss of each risk has to be quantified and measured using the risk severity matrix. 162. Where any of the risks identified is found to be significant, RCB management shall determine based on judgement whether to continue with the product development and launch within the current control environment, abandon the idea of new product development or continue with product development subject to the introduction of additional preventive controls to lower the probability of the risks occurring and measures to mitigate the potential loss. 163. Measures that may be considered to control the risk and mitigate potential losses include, use of expert opinions and services in product development, full outsourcing of product development to service providers, strengthening of market communication, phasing of product rollout in selected markets and continuous engagement of clients at development, testing and rollout phases. 164. The identified risks and mitigating strategies shall be monitored and reported for attention of the Board and management. 12.6 Internal Controls over Product Risk Management 165. The broad internal controls to be observed as part of product risk management are presented:  Documentation: Processes to be followed in product development or refinement shall be fully documented. Changes to product development and refinement processes shall be reflected through update of documentations

RISK MANAGEMENT GUIDELINES PAGE 57  Segregation of Duties: Ensure segregation of duties in activities that can lead to conflict of interest situations.  Review and Approval: Key Management Personnel should consistently review the strategies, policies and procedures for product development and refinement and submit same for Board approval. All new product development initiatives and refinements shall be reviewed and approved by the Board as part of strategies for ensuring that all related risks are reviewed and determined to be within the risk tolerable limits of the RCB.  Compliance with Policies and Procedures: Key Management Personnel should report to the Board on continuous compliance with approved product development policies and procedures during product development, piloting and launch phases.  Management Information Systems: Ensure that MIS remains relevant for generating data that serve as input for making decisions on product development and refinement. Relevant data will include number and type of client complaints, results on client satisfaction with products, growth in outreach, financial contribution and general performance of products.

RISK MANAGEMENT GUIDELINES PAGE 52 PART III: ANNEXURES

RISK MANAGEMENT GUIDELINES PAGE 53 ANNEX 1: RURAL BANK INDUSTRY: BENCHMARK AND TOOLS FOR RCB RISK MANAGEMENT Risk Category/Sub Category Measures/Indicators Basis/Objective Definition Authority Source Document / Means for Verification Benchmark Regulatory & Legal Risk Shareholding Structure Control Shareholding of Members Proportion of largest Individual holders over total Shareholding BOG Register of Members Minimum Capital Adequate Capitalization of the RCB Minimum paid up Capital as Regulation BoG Memorandum of Registration

100% of MC 75% of MC in cash &25 % Capital Adequacy Ratio To avoid system risks Ratio of regulated capital to risk weighted assets BoG Capital Adequacy Policy Document 100% Well composed Board, Board Meetings and functioning Board To provide the needed strategic direction and oversight for management of RCB Board composed and functioning as expected BOG Minutes of Board Meetings 5 members Reporting to Bank of Ghana To comply with Central Bank’s reporting requirements Prepare required reports to Bank of Ghana BoG Bank of Ghana Operational Returns Folder 100% Compliance Operational (Including Management Risk) Human Resource Manual To provide a clear and objective framework for people management. Existence of Policies and Procedures manual for people management BoG Human Resource Policies and Procedures manual 100% Compliance Competent Management Team To provide the needed leadership for the RCB. Adequate experience for RCB Operations Section 44 (4b) of Act 930 Human Resource Manuals and Board Minutes 100% Compliance Internal Control Systems Manual/Operational Manuals Provide a consistent and best practice approach to the RCB’s business. Documented Policies and Procedures for all Operations. Section 56 of Act 930 Internal Control Policy and Procedures Manual 100% Compliance

RISK MANAGEMENT GUIDELINES PAGE 54 Risk Category/Sub Category Measures/Indicators Basis/Objective Definition Authority Source Document / Means for Verification Benchmark Communicated and known by all Staff. Reviewed in line with changes. Internal Audit Manual To provide an objective basis for reviewing and reporting on control systems. Existence of Process maps. Segregation of duties BoG Section 56 of Act 930 Internal Audit Policies and Procedures manual 100% Compliance Annual Budget 100% Compliance Cost to Income Ratio (%) To assess the operational efficiency of the bank. Cost divided by Income expressed over 100 Periodic Operating statements Maximum of 70% Credit Risk Product Development To assess that appropriate and best practice guidelines are followed in introducing new products. Policy Statement on Product Development. Product Development / Credit Policy Manual N/A Lending Methodology RCB has a well￾documented and know approach to lending. Each product has clearly defined and documented approach to individual and group lending; borrower selection; appraisal technique is sound and applied. Existence of Credit Manual Random check on field for compliance. 100% Compliance

RISK MANAGEMENT GUIDELINES PAGE 55 Risk Category/Sub Category Measures/Indicators Basis/Objective Definition Authority Source Document / Means for Verification Benchmark Approval Limits To provide limitation in line with authority and capacity at different levels Clear limits for Credit Officer, Branch Manager, Key Management Personneland Board. Minutes and Loan Files 100% Compliance Quality of Documentation of Loan Portfolio Audit trail on all steps in the loan disbursement and collection process documented. Procedures on loan disbursement and collection. Manual/Loan Files/Portfolio Reports 100% Compliance Write off Policy To prevent overstating of Assets Clearly documented policy on write offs. Portfolio Reports; Board Minutes 100% Compliance Provisioning To prevent overstatement of asset. Loan Books, Income Statement; Balance Sheet. 100% Compliance Portfolio at Risk To track portfolio quality and respond to early warning signs The total gross outstanding loan that is at default risk Monthly Reports from the Credit Department < 5% Loan Portfolio Yield To determine the overall earning from the loan portfolio Return on loan portfolio Loan Portfolio Reports >30% Ageing Analysis To assess the duration of lateness of overdue loans A listing of debt amounts owing to the RCB, which analyses the age of the debts by splitting them into time buckets Arrears Reports 100% Compliance Sector Concentration To diversify loan portfolio risk The proportion of loan to each identifiable sector to the total loan portfolio. Portfolio Reports Maximum 30% per sector, product. Individual/Group Loan Limit To limit exposure to one individual/group 10%

RISK MANAGEMENT GUIDELINES PAGE 56 Risk Category/Sub Category Measures/Indicators Basis/Objective Definition Authority Source Document / Means for Verification Benchmark Interest Rate Risk Gap analysis To measure sensitivity of interest￾bearing assets and liabilities to changes in interest rate. Matching interest rate – bearing assets with interest rate-bearing liabilities for 3, 6, and 12 months Internal Practice Term structure of assets and liabilities Look at different time buckets (3, 6, 12 months), in each bucket assets similar to liabilities; no benchmark. Changes on the financial market. To be aware of developments in the financial market and implications for Rural Bankindustry. Monitoring procedures for developments in financial markets Internal Practice Schedule of developments on the financial market Performance reports (monthly), investment policy, sensitivity analysis (if available), budget performance report. Liquidity Risk Procedures for liquidity and funds management To ensure that Rural Bank industry can meet its short term obligations at reasonable cost. Arrangements for and costs of liquidity access. Section 34 of Act 930 Liquidity Plan and Variance Analysis Report Liquidity ratio To ensure that institution can meet its short term obligations at reasonable costs Liquid assets to deposit liabilities section 36 of Act 930 Liquidity statement (weekly) 100% Primary Reserves Ensure reasonable level of cash to meet needs of depositors Primary Liquid Assets/Deposits Guide for Reporting Institutions Prudential Statements/ Liquidity Statements

10% Secondary Reserves Further protection of depositors Secondary Liquid Assets /Deposits Guide forReporting Institutions Prudential Statements/ Liquidity Statements 20% Lending Ratios Relationship between loans and deposits Gross Loans/Deposits BoG Liquidity Reports/Statements <70%

RISK MANAGEMENT GUIDELINES PAGE 57 ANNEX 2: RURAL BANK INDUSTRY – RISK ANALYSIS FORM (TEMPLATE) Risk ID Nature and Category of Risk Probability High/Medium/Low Impact High/Medium/Low Likelihood X Impact Actions to be Taken Responsibility Remarks Score as follows: For probability and impact: High = 3, Medium = 2 and Low = 1

RISK MANAGEMENT GUIDELINES PAGE 58 ANNEX 3: SAMPLE 5X5 RISK ASSESSMENT MATRIX PROBABILITY Almost Certain 5 Medium Risk High Risk Extreme Risk Extreme Risk Extreme Risk Likely 4 Medium Risk High Risk High Risk Extreme Risk Extreme Risk Possible 3 Low Risk Medium Risk High Risk High Risk Extreme Risk Unlikely 2 Low Risk Low Risk Medium Risk High Risk Extreme Risk Rare 1 Low Risk Low Risk Medium Risk High Risk Extreme Risk 1 Insignificant IMPACT 2 Minor 3 Moderate 4 Major 5 Catastrophic

RISK MANAGEMENT GUIDELINES PAGE 59 ANNEX 4: SAMPLE SEVERITY MATRIX FOR RISK AND IMPACT MEASUREMENT PROBABILITY Indicators 1 Rare Once per >3years 2 Unlikely Once within 2-3 years 3 Possible Once a Year 4 Likely Once a Quarter 5 Almost Certain Every Month PROBABILITY Almost Certain 5 Medium Risk High Risk Extreme Risk Extreme Risk Extreme Risk Likel y 4 Medium Risk High Risk High Risk Extreme Risk Extreme Risk Possibl e 3 Low Risk Medium Risk High Risk High Risk Extreme Risk Unlikel y 2 Low Risk Low Risk Medium Risk High Risk Extreme Risk Rare 1 Low Risk Low Risk Medium Risk High Risk Extreme Risk 1 Insignificant IMPACT 2 Minor 3 Moderate 4 Major 5 Catastrophic Sample Indicators for RCB Risk Measurement Impact People Financial Loss Reputation Processes /Technology Regulatory /Compliance External Events (Client Retention) 1 Insignificant One (1) non-key staff member not available or leaves RCB. Up to 10,000 GHS Less than 2% of the Clients leave RCB. One (1) process disrupted slightly Little or no impact Less than 4% of the Clients are affected. 2 Minor Some non-key staff members not available or leave RCB. From 10,000 GHS to 20,000 GHS Between 2% and 5% of the Clients Leave RCB. Several processes disrupted, recovery easily possible. Routine regulatory finding Between 4% and 10% of the Clients are affected. 3 Moderate Two (2) key staff members of the same department not available or leave the RCB. From 50,000 GHS to 100,000 GHS Between 5% and 10% of the Clients leave RCB Several processes disrupted heavily, recovery possible but takes time and is noticed outside by the Customers. Targeted regulator scrutiny or investigation Between 10% and 20% of the Clients are affected. 4 Major More than five (5) key staff members not available or leave RCB. Between 10% and 25% of the Clients leaves RCB Between 10% and 25% of the Clients Leave RCB Several processes disrupted very heavily, recovery hardly possible but takes considerable time; negative consequences for customers/stakeholders. Sustained regulator scrutiny and/or significant fines and /or formal undertaking Between 20% and 50% of the Clients are affected. 5 Catastrophic The full management team is not available or leaves RCB. More than 25% of the Clients leave RCB More than 25% of the Clients leave RCB Several processes disrupted very heavily, recovery is not possible anymore and/or takes too much time in the sense that the consequences are serious for customers/stakeholders. Suspension or loss of license More than 50% of the Clients are affected.

RISK MANAGEMENT GUIDELINES PAGE 60 ANNEX 5: SAMPLE KEY RISK INDICATORS TRACKING TEMPLATE KEY RISK INDICATORS Definition Risk Appetite (Based on 3X3 Matrix) Actual Risk Level Trend Action PAR >30 The value of all loans outstanding with one or more installments of principal past due more than 30 days as part of the total loan portfolio. L:<5% M:>5%, <10% H:>10% 8.5% Medium Training loan officers regarding recent incident; adjustment remuneration; surprise audits Staff Turnover The number of employees that leave the organization as part of the total number of employees on the payroll. L:<2%,<5% M:>5%, <8% M:<2% H:>8% 7.0% Medium Start to conduct exit interviews; staff satisfaction survey MIS/IT Availability Ability of an MIS service to perform its agreed function when required as part of the day’s working hours.. L:<95% M:>90%, <95% H:<90% 92% Low Keep monitoring to be sure that controls are effective % of Retail (Petty Trader) Loans Amount of retail loans as part of total amount of outstanding loans. L:<30% M:>30%, <50% H:>50% 60% High Stop disbursing retail (petty trader) loans; increase monitoring of existing loans; increase lending to other segments; brief loan officers on the risks.

RISK MANAGEMENT GUIDELINES PAGE 61 ANNEX 6: SAMPLE TERMS OF REFERENCE OF RISK MANAGEMENT COMMITTEE (RMC) A: Overview The Board has ultimate responsibility for approving all policies for the RCB including its risk management policy. The Board also has oversight responsibility for risk management functions performed at all levels of the RCB, ensuring the creation of an environment with the right structures for risk management to operate effectively. The Risk Management Committee is a management committee that is given a delegated responsibility by the Board for ensuring the implementation of effective risk management framework in the RCB. The constitution of a management team for risk management does not preclude the Board from establishing a subcommittee of the Board with focus on risk management. The provisions in the terms of reference are subject to the approval of the Board and will be revised as deemed appropriate by the Board. B: Mandate of the Risk Management Committee (RMC) The RMC has a Board delegated responsibility for ensuring that the RCB has a structured and functioning approach to risk management. The RMC will focus on the RCB's important risks and controls. The committee will institute effective arrangements for anticipating and managing new and ongoing risks in the RCB; generate communication among the management team on risk and foster a collaborative approach to risk management in the RCB. C: Specific Responsibilities Specific responsibilities of the Risk Management Committee include but are not limited to:

1. Ensure there is an organized framework in place for the identification and anticipation of risk, assessment of identified risk, prioritization of risk and development of mitigating measures for minimizing the effect of risk on the Bank's capital and earning capacity;
2. Consider the nature and extent of downside risks acceptable to the RCB to bear in performing its financial intermediation function;
3. Review the likelihood of each identified risk becoming a reality, as well as potential impact and determine how unacceptable risks should be managed;
4. Ensure policies, procedures and strategies provide an adequate framework of preventive, detective and corrective controls for the main risks;
5. Assess the costs and benefits of each risk control activity proposed by the branches, departments and work units and advise the Board appropriately;
6. Ensure that the policies and procedures developed are operating effectively and are adequate for the main risks identified;
7. Using key risk indicators (KRI) monitor and report on the effectiveness of the policies, procedures and strategies to facilitate the management of prioritised risks;
8. Undertake periodic review of the effectiveness of the overall risk management process and advise the Board accordingly;
9. Conduct monthly meetings with a focus on RCB risk management and report to the board;

RISK MANAGEMENT GUIDELINES PAGE 62 10.Undertake a holistic review of all risk management policies on an annual basis to make sure they are effective and updated regularly; 11.Assess the risk implications of all Board decisions and inform the Board appropriately; 12.Ensure there is a framework in place for promoting risk management awareness creation and training of staff on a sustained basis. D: Composition: The RMC will comprise a minimum of 3 members drawn from the Management Team and will be chaired by the Chief Executive Officer and coordinated by the Coordinator of Risk Management. E: Reporting: The Risk Management Coordinator, working with various Heads of branches, departments and work units will compile a quarterly risk assessment report that summarizes the RCB's main risks based on the assessment of the Risk Management Committee. The RMC will discuss the report and adopt it for submission to the Board. F: Meeting: The Committee will meet mandatorily on quarterly basis, although in its first year of existence, it will meet more frequently. Summaries of the Committee’s minutes will be circulated to the Board which has oversight of the Committee’s work. Approved by the Board on: xxxxxxxx Date: xxxxxxxxxxxxxxxxxx

RISK MANAGEMENT GUIDELINES PAGE 63

ANNEX 7: ROLES AND RESPONSIBILITY MATRIX FOR RISK MANAGEMENT Designation Summary Roles and Responsibilities Board 1. Ownership of risks and determination of acceptable limits. 2. Approval of policies. 3. Oversight. Senior Management 1. Identify risk. 2. Develop policies, procedures and key risk indicators. 3. Implement policies. 4. Assign responsibility. 5. Ensure compliance. Branch Management 1. Oversee implementation of policies and procedures. 2. Implement policies and procedures. 3. Monitor adherence to controls at branch level. 4. Collate feedback for improvement of controls Operational Staff 1. Adhere to policies and procedures. 2. Offer suggestions on effectiveness of controls. 3. Provide feedback for improvement of controls. Internal Audit 1. Verify compliance with controls. 2. Test effectiveness of controls. 3. Make recommendations to improve control environment. 4. Report to board on extent of compliance and relevance of controls. 5. Identify emerging risks and uncontrolled risks.

RISK MANAGEMENT GUIDELINES PAGE 64 ANNEX 8: TOOLS AND TECHNIQUES FOR RISK IDENTIFICATION AND ASSESSMENT

1. Brainstorming.
2. Questionnaires.
3. Industry Benchmarking.
4. Scenario Analysis.
5. Risk Assessment Workshops.
6. Incident Investigation.
7. Budget Comparison.
8. Auditing and Inspection.
9. Market Survey. 10.Research and Development. 11.Business Impact Analysis. 12.SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats). 13.Business Continuity Planning 14.BPEST (Business, Political, Economic, Social, Technological) Analysis. 15.PESTLE (Political, Economic, Social, Technical, Legal Environmental).

RISK MANAGEMENT GUIDELINES PAGE 65

ANNEX 9: SAMPLE FRAUD POLICY This document is a sample fraud policy which can be modified for use by RCBs that desire to develop a fraud policy for their institution. Background The RCB, (insert name) commits to maintaining high legal, ethical and moral standards. The shareholders, directors, management, and staff are expected to share in this commitment. This policy is established to facilitate the development of procedures which will assist in the determent of fraud, identification, investigation and sanctioning perpetrators of fraud and related offences. The Board has put in place measures designed to reduce the likely occurrence of fraud and to mitigate the effect of fraud on the RCB's earnings and capital if it occurs. These include documented procedures and systems of internal control and risk assessment. This fraud policy statement and other related documents are intended to assure of the RCB's commitment to minimising fraud risk and directions on how to deal with suspected fraud cases. Fraud Policy The RCB adopts zero tolerance for fraud and expects that management will institute preventive, detective, and corrective controls that minimise the potential of fraud, detect fraud when it is committed and position the RCB to adopt remedial measures to recover from the fraud and prevent future occurrence. Additionally, the Management is required to design and implement measures that promote a risk and fraud awareness culture in the RCB. All fraudulent activities identified have to be investigated, and any person found culpable sanctioned and reported to the Bank of Ghana. The Board’s Committment The Board is committed to maintaining an honest, open and ethical culture within the RCB. It is also committed to the identification and investigation of fraudulent activities within the RCB. The Board wishes to encourage anyone having reasonable suspicions of fraud to report same to the Management or Board. The Board will ensure that no employee will suffer in any way as a result of reporting reasonably held suspicions. For these purposes, ‘reasonably held suspicions' shall mean any suspicions other than those which are shown to be both raised maliciously and then found later to be groundless. Actions Constituting Fraud Fraud comprises the use of deception to obtain an unjust or illegal financial advantage, intentional misrepresentations affecting the RCB and other financial malpractices perpetrated by one or more individuals. The specific actions constituting fraud and their appropriate sanctions have to be outlined and communicated to the Board for approval. The Board, Management, and all other staff have to familiarise themselves with the types of actions that constitute fraud in the RCB and to be alert for any indications of irregularity.

RISK MANAGEMENT GUIDELINES PAGE 66 ANNEX 10: ADDITIONAL RISK MANAGEMENT TERMINOLOGIES A. Risk Appetite: The RCB’s unique attitude towards risk taking, which in turn dictates the amount of risk that it considers acceptable. B. Risk Acceptance: This situation exists when no action is taken to prevent the likelihood of harm to the RCB as a result of a known condition or event. C. Risk Analysis: This is a process that assesses the individual risks, estimates the impact of each of the risks especially on RCB’s capital and earning capacity, develops corresponding risk profile and provides recommendation on mitigation strategies. D. Risk Centre: This could be department, branch, section, unit or even a geographical area having clear boundaries and defined risk exposure. E. Risk Controls: These are systems, policies, procedures, practices and safeguards designed to minimize the frequency or severity of conditions or events that increase risk. F. Risk Control Effectiveness Rating: This is a measure that defines how effectively the risk management controls are managing the risks. Additionally, this rating is used to measure how effective further risk treatments have been in addressing the short comings of current controls when the current control had been rated as “room for improvement” or “inadequate.” G. Risk Dashboard: This is a graphical presentation of the RCB’s key risk measures (often against their respective tolerance levels); typically used in reports to senior management. H. Risk Evaluation: This involves reviewing the results of a risk analysis, determining the significance of the risk exposures and deciding whether to accept and manage them, transfer them by means such as insurance, a combination of the two. I. Risk Register: A risk register is a tool for documenting risks and actions that manage each documented risk. As risks are identified, they are logged on to the register and actions to respond to the risks are documented in the register to facilitate tracking. J. Risk Response: This refers to the establishment of an action plan to address those risks considered to be high. A risk response may be in the form of an action plan to outline the actions to be taken in respect of each risk, assigning responsibility, timelines and means of verification for the management of the risks identified. K. Inherent Risk: The exposure arising from a specific risk before any action has been taken to manage it. L. Risk Matrix: It is a tool that is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of impact severity. A risk matrix may be either a 3X3 or 5X5 matrix.

RISK MANAGEMENT GUIDELINES PAGE 67

M. Risk Mapping: The visual representation of risks (which have been identified through a risk assessment exercise) in a manner that facilitates priority-ranking. This representation often takes the form of a two-dimensional grid with probability (or likelihood of occurrence) on one axis, and severity (or degree of financial impact) on the other axis. N. Risk Profiling: The use of a tool or system to rate and/or prioritize a series of risks. O. Risk Protocols: Risk protocols are presented in the form of the risk guidelines for the RCB and may include the rules and procedures, as well as specifying the risk management methodologies, tools and techniques that should be used. P. Risk Probability: This is the chance of an event happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively. Q. Risk Profile: This is commonly described in a conceptual sense to represent the entire portfolio of risks that the RCB faces. R. Residual Risk: It is the level of risk assessed to remain on the assumption that additional controls (treatments or mitigation) are in place and working.